mirror of
https://github.com/0rangebananaspy/authelia.git
synced 2024-09-14 22:47:21 +07:00
Enable secure and httpOnly option for sessions
These are 2 measures for improving security of cookies. One is used to not send the cookie over HTTP (only HTTPS) and the other tells the browser to disallow client-side code accessing the cookie.
This commit is contained in:
parent
6e3a9494ce
commit
92b78f7c15
|
@ -5,6 +5,8 @@ services:
|
||||||
restart: always
|
restart: always
|
||||||
volumes:
|
volumes:
|
||||||
- ./config.template.yml:/etc/authelia/config.yml:ro
|
- ./config.template.yml:/etc/authelia/config.yml:ro
|
||||||
|
environment:
|
||||||
|
- NODE_TLS_REJECT_UNAUTHORIZED=0
|
||||||
depends_on:
|
depends_on:
|
||||||
- redis
|
- redis
|
||||||
networks:
|
networks:
|
||||||
|
|
|
@ -6,6 +6,8 @@ services:
|
||||||
volumes:
|
volumes:
|
||||||
- ./config.template.yml:/etc/authelia/config.yml:ro
|
- ./config.template.yml:/etc/authelia/config.yml:ro
|
||||||
- ./notifications:/var/lib/authelia/notifications
|
- ./notifications:/var/lib/authelia/notifications
|
||||||
|
environment:
|
||||||
|
- NODE_TLS_REJECT_UNAUTHORIZED=0
|
||||||
depends_on:
|
depends_on:
|
||||||
- redis
|
- redis
|
||||||
networks:
|
networks:
|
||||||
|
|
|
@ -35,6 +35,7 @@ http {
|
||||||
proxy_set_header X-Original-URI $request_uri;
|
proxy_set_header X-Original-URI $request_uri;
|
||||||
proxy_set_header Host $http_host;
|
proxy_set_header Host $http_host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
|
||||||
proxy_pass http://authelia/;
|
proxy_pass http://authelia/;
|
||||||
|
|
||||||
|
@ -73,6 +74,7 @@ http {
|
||||||
internal;
|
internal;
|
||||||
proxy_set_header X-Original-URI $request_uri;
|
proxy_set_header X-Original-URI $request_uri;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
proxy_set_header Host $http_host;
|
proxy_set_header Host $http_host;
|
||||||
proxy_set_header Content-Length "";
|
proxy_set_header Content-Length "";
|
||||||
|
|
||||||
|
@ -126,6 +128,7 @@ http {
|
||||||
internal;
|
internal;
|
||||||
proxy_set_header X-Original-URI $request_uri;
|
proxy_set_header X-Original-URI $request_uri;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
proxy_set_header Host $http_host;
|
proxy_set_header Host $http_host;
|
||||||
proxy_set_header Content-Length "";
|
proxy_set_header Content-Length "";
|
||||||
|
|
||||||
|
@ -162,6 +165,7 @@ http {
|
||||||
internal;
|
internal;
|
||||||
proxy_set_header X-Original-URI $request_uri;
|
proxy_set_header X-Original-URI $request_uri;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
proxy_set_header Host $http_host;
|
proxy_set_header Host $http_host;
|
||||||
proxy_set_header Content-Length "";
|
proxy_set_header Content-Length "";
|
||||||
|
|
||||||
|
@ -198,6 +202,7 @@ http {
|
||||||
internal;
|
internal;
|
||||||
proxy_set_header X-Original-URI $request_uri;
|
proxy_set_header X-Original-URI $request_uri;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
proxy_set_header Host $http_host;
|
proxy_set_header Host $http_host;
|
||||||
proxy_set_header Content-Length "";
|
proxy_set_header Content-Length "";
|
||||||
|
|
||||||
|
@ -234,6 +239,7 @@ http {
|
||||||
internal;
|
internal;
|
||||||
proxy_set_header X-Original-URI $request_uri;
|
proxy_set_header X-Original-URI $request_uri;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
proxy_set_header Host $http_host;
|
proxy_set_header Host $http_host;
|
||||||
proxy_set_header Content-Length "";
|
proxy_set_header Content-Length "";
|
||||||
|
|
||||||
|
|
|
@ -1,7 +1,5 @@
|
||||||
#! /usr/bin/env node
|
#! /usr/bin/env node
|
||||||
|
|
||||||
process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
|
|
||||||
|
|
||||||
import Server from "./lib/Server";
|
import Server from "./lib/Server";
|
||||||
import { GlobalDependencies } from "../types/Dependencies";
|
import { GlobalDependencies } from "../types/Dependencies";
|
||||||
import YAML = require("yamljs");
|
import YAML = require("yamljs");
|
||||||
|
|
|
@ -23,8 +23,8 @@ import * as http from "http";
|
||||||
const addRequestId = require("express-request-id")();
|
const addRequestId = require("express-request-id")();
|
||||||
|
|
||||||
// Constants
|
// Constants
|
||||||
|
|
||||||
const TRUST_PROXY = "trust proxy";
|
const TRUST_PROXY = "trust proxy";
|
||||||
|
const X_POWERED_BY = "x-powered-by";
|
||||||
const VIEWS = "views";
|
const VIEWS = "views";
|
||||||
const VIEW_ENGINE = "view engine";
|
const VIEW_ENGINE = "view engine";
|
||||||
const PUG = "pug";
|
const PUG = "pug";
|
||||||
|
@ -54,9 +54,9 @@ export default class Server {
|
||||||
app.use(BodyParser.json());
|
app.use(BodyParser.json());
|
||||||
app.use(deps.session(expressSessionOptions));
|
app.use(deps.session(expressSessionOptions));
|
||||||
app.use(addRequestId);
|
app.use(addRequestId);
|
||||||
app.disable("x-powered-by");
|
app.disable(X_POWERED_BY);
|
||||||
|
app.enable(TRUST_PROXY);
|
||||||
|
|
||||||
app.set(TRUST_PROXY, 1);
|
|
||||||
app.set(VIEWS, viewsDirectory);
|
app.set(VIEWS, viewsDirectory);
|
||||||
app.set(VIEW_ENGINE, PUG);
|
app.set(VIEW_ENGINE, PUG);
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,8 @@ export class SessionConfigurationBuilder {
|
||||||
resave: false,
|
resave: false,
|
||||||
saveUninitialized: true,
|
saveUninitialized: true,
|
||||||
cookie: {
|
cookie: {
|
||||||
secure: false,
|
secure: true,
|
||||||
|
httpOnly: true,
|
||||||
maxAge: configuration.session.expiration,
|
maxAge: configuration.session.expiration,
|
||||||
domain: configuration.session.domain
|
domain: configuration.session.domain
|
||||||
},
|
},
|
||||||
|
|
|
@ -73,7 +73,8 @@ describe("test session configuration builder", function () {
|
||||||
resave: false,
|
resave: false,
|
||||||
saveUninitialized: true,
|
saveUninitialized: true,
|
||||||
cookie: {
|
cookie: {
|
||||||
secure: false,
|
secure: true,
|
||||||
|
httpOnly: true,
|
||||||
maxAge: 3600,
|
maxAge: 3600,
|
||||||
domain: "example.com"
|
domain: "example.com"
|
||||||
}
|
}
|
||||||
|
@ -153,7 +154,8 @@ describe("test session configuration builder", function () {
|
||||||
resave: false,
|
resave: false,
|
||||||
saveUninitialized: true,
|
saveUninitialized: true,
|
||||||
cookie: {
|
cookie: {
|
||||||
secure: false,
|
secure: true,
|
||||||
|
httpOnly: true,
|
||||||
maxAge: 3600,
|
maxAge: 3600,
|
||||||
domain: "example.com"
|
domain: "example.com"
|
||||||
},
|
},
|
||||||
|
|
Loading…
Reference in New Issue
Block a user