No way to set the secure option for Set-Cookie header #145
Comments
|
I agree: a "mark all cookies as secure" feature. I have to think something else already does this, perhaps in a rack middleware. |
|
You're right... https://github.com/tobmatth/rack-ssl-enforcer already does this + more. Nonetheless, for those wanting a one-gem solution, do you think this might be a useful feature to add to secure_headers? I'd be willing to open up a PR to try to get this working. |
|
Certainly! |
|
@jmera any interest in continuing with this? We can lift https://github.com/tobmatth/rack-ssl-enforcer/blob/master/lib/rack/ssl-enforcer.rb#L183 as I can't see any way to improve upon what was already implemented (other than extracting that regex to a constant) |
|
@oreoshake I'll give it a shot! I already wrote something similar a while back: https://github.com/jmera/secure_cookies/blob/master/lib/rack/secure_cookies.rb#L20 Will open up a PR 😄 |
|
@oreoshake the only way I see this working is through Rack middleware that lies on top of the app's cookie middleware (so we can have access to We could try to make this a config option and "automagically" place said middleware at the top of the stack. ::SecureHeaders::Configuration.default do |config|
config.flag_cookies_as_secure = ENV['RACK_ENV'] == 'production'
...
endAt the moment it isn't completely clear to me how we'd accomplish the automagical part... |
|
You could add it to the existing middleware and have it noop if the flag is false. Your existing documentation will instruct people where to place the middleware (it's also added via a railtie just in case) |
|
Implemented in #231 |
I'm not sure if this is in the works. It'd be nice to be able to easily set the Secure option on the
Set-Cookieheader so it looks something like:Set-Cookie: _app_name=some_string; path=/; expires=Wed, 17-Jun-2015 20:41:13 GMT; HttpOnly; SecureInfo about the flag here: https://www.owasp.org/index.php/SecureFlag
The text was updated successfully, but these errors were encountered: