Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set HttpOnly and Secure flags in session cookies #5911

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Set HttpOnly and Secure flags in session cookies #5911

wants to merge 3 commits into from
+4 −0

Conversation

eapolinario
Copy link
Contributor

Why are the changes needed?

Setting these 2 fields is standard practice. All modern browsers implement them.

What changes were proposed in this pull request?

We set HttpOnly and Secure flags in all cookies produced by Flyte. Notice that those are generated only if auth is enabled.

More information about those flags:

  • https://owasp.org/www-community/HttpOnly: The HttpOnly option prevents JavaScript code from accessing the cookie. This can provide some protection from cookie theft if an attacker successfully exploits a Cross-Site Scripting (XSS) vulnerability.
  • https://cwe.mitre.org/data/definitions/614.html: The Secure cookie flag is an option that can be used to prevent the browser from sending the cookie over a plaintext connection. This can prevent an attacker from attempting session hijacking through Man-in-the-Middle (MitM) attacks.

Currently we allow the use of auth without TLS, but I'm wondering if we should remove that case (or disallow it explicitly).

How was this patch tested?

Setup process

Screenshots

Check all the applicable boxes

  • I updated the documentation accordingly.
  • All new and existing tests passed.
  • All commits are signed-off.

Related PRs

Docs link

@codecov Codecov
Copy link

codecov bot commented Oct 24, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 36.82%. Comparing base (56b6d6d) to head (0a308c4).
Report is 15 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #5911      +/-   ##
==========================================
+ Coverage   36.71%   36.82%   +0.10%     
==========================================
  Files        1304     1309       +5     
  Lines      130081   130942     +861     
==========================================
+ Hits        47764    48221     +457     
- Misses      78147    78537     +390     
- Partials     4170     4184      +14
Flag Coverage Δ
unittests-datacatalog 51.58% <ø> (ø)
unittests-flyteadmin 54.04% <100.00%> (-0.38%) ⬇️
unittests-flytecopilot 11.73% <ø> (ø)
unittests-flytectl 62.40% <ø> (ø)
unittests-flyteidl 6.92% <ø> (+0.03%) ⬆️
unittests-flyteplugins 53.64% <ø> (+0.01%) ⬆️
unittests-flytepropeller 43.00% <ø> (+0.15%) ⬆️
unittests-flytestdlib 55.41% <ø> (+0.62%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@eapolinario
Fix lint warning
0a308c4 
Signed-off-by: Eduardo Apolinario <[email protected]>
@Sovietaced
Copy link
Contributor

Currently we allow the use of auth without TLS, but I'm wondering if we should remove that case (or disallow it explicitly).

I feel like it’s pretty normal to run plaintext from an ingress to an origin on the same node. At least that’s what we do.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@eapolinario @Sovietaced