Details
-
Improvement
-
Resolution: Fixed
-
Major
-
None
-
Security Level: Public
-
None
-
CBG Sprint 38, CBG Sprint 39, CBG Sprint 40
-
3
Description
It's highly recommended to set the "Secure" flag on cookies when serving them over HTTPS. We should set it when we know we're serving the REST API over TLS.
If a customer is using a load balancer to do TLS termination, or if a customer does not want the Secure flag on, even over TLS, we should provide the ability to have a database config option to set the flag correspondingly to override this behaviour.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#Directives