Enable secure and httpOnly option for sessions

These are 2 measures for improving security of cookies. One is used to
not send the cookie over HTTP (only HTTPS) and the other tells the browser to
disallow client-side code accessing the cookie.
This commit is contained in:
Clement Michaud 2017-10-15 16:34:39 +02:00
parent 6e3a9494ce
commit 92b78f7c15
7 changed files with 19 additions and 8 deletions

View File

@ -5,6 +5,8 @@ services:
restart: always
volumes:
- ./config.template.yml:/etc/authelia/config.yml:ro
environment:
- NODE_TLS_REJECT_UNAUTHORIZED=0
depends_on:
- redis
networks:

View File

@ -6,6 +6,8 @@ services:
volumes:
- ./config.template.yml:/etc/authelia/config.yml:ro
- ./notifications:/var/lib/authelia/notifications
environment:
- NODE_TLS_REJECT_UNAUTHORIZED=0
depends_on:
- redis
networks:

View File

@ -35,6 +35,7 @@ http {
proxy_set_header X-Original-URI $request_uri;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://authelia/;
@ -73,6 +74,7 @@ http {
internal;
proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header Content-Length "";
@ -126,6 +128,7 @@ http {
internal;
proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header Content-Length "";
@ -162,6 +165,7 @@ http {
internal;
proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header Content-Length "";
@ -198,6 +202,7 @@ http {
internal;
proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header Content-Length "";
@ -234,6 +239,7 @@ http {
internal;
proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header Content-Length "";

View File

@ -1,7 +1,5 @@
#! /usr/bin/env node
process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
import Server from "./lib/Server";
import { GlobalDependencies } from "../types/Dependencies";
import YAML = require("yamljs");

View File

@ -23,8 +23,8 @@ import * as http from "http";
const addRequestId = require("express-request-id")();
// Constants
const TRUST_PROXY = "trust proxy";
const X_POWERED_BY = "x-powered-by";
const VIEWS = "views";
const VIEW_ENGINE = "view engine";
const PUG = "pug";
@ -54,9 +54,9 @@ export default class Server {
app.use(BodyParser.json());
app.use(deps.session(expressSessionOptions));
app.use(addRequestId);
app.disable("x-powered-by");
app.disable(X_POWERED_BY);
app.enable(TRUST_PROXY);
app.set(TRUST_PROXY, 1);
app.set(VIEWS, viewsDirectory);
app.set(VIEW_ENGINE, PUG);

View File

@ -12,7 +12,8 @@ export class SessionConfigurationBuilder {
resave: false,
saveUninitialized: true,
cookie: {
secure: false,
secure: true,
httpOnly: true,
maxAge: configuration.session.expiration,
domain: configuration.session.domain
},

View File

@ -73,7 +73,8 @@ describe("test session configuration builder", function () {
resave: false,
saveUninitialized: true,
cookie: {
secure: false,
secure: true,
httpOnly: true,
maxAge: 3600,
domain: "example.com"
}
@ -153,7 +154,8 @@ describe("test session configuration builder", function () {
resave: false,
saveUninitialized: true,
cookie: {
secure: false,
secure: true,
httpOnly: true,
maxAge: 3600,
domain: "example.com"
},