Uploaded image for project: 'Couchbase Gateway'
  1. Couchbase Gateway
  2. CBG-622

Use secure cookies when SG is configured to listen over TLS

    XMLWordPrintable

Details

    • Improvement
    • Resolution: Fixed
    • Major
    • 2.8.0
    • None
    • SyncGateway
    • Security Level: Public
    • None
    • CBG Sprint 38, CBG Sprint 39, CBG Sprint 40
    • 3

    Description

      It's highly recommended to set the "Secure" flag on cookies when serving them over HTTPS. We should set it when we know we're serving the REST API over TLS.

      If a customer is using a load balancer to do TLS termination, or if a customer does not want the Secure flag on, even over TLS, we should provide the ability to have a database config option to set the flag correspondingly to override this behaviour.

       

      https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#Directives

      https://security.stackexchange.com/questions/186441/any-reason-not-to-set-all-cookies-to-use-httponly-and-secure

       

       

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            jacques.rascagneres Jacques Rascagneres
            ben.brooks Ben Brooks
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes

                PagerDuty