access_token setting issues

datawire / ambassador-pro

Other

2 stars 0 forks source link

access_token setting issues #1

Closed richarddli closed 6 years ago

richarddli commented 6 years ago

In the access_token cookie, Ambassador does not set the HTTP_ONLY flag, which means the cookie could be vulnerable to XSS attacks. The Secure flag doesn't get set, either, meaning it'll transmit over HTTP or HTTPS.

gsagula commented 6 years ago

@richarddli Can you please assign this issue to me.