search

finos / a11y-theme-builder

DesignOps toolchain theme builder for accessibility inclusion using Atomic Design.
Apache License 2.0
41 stars 70 forks source link

[REQUEST] Improve Security by Enabling httpOnly Flag for Cookies #864

Open Photon3009 opened 4 months ago

Photon3009 commented 4 months ago

Suggestion/Concern

The httpOnly option for cookies is currently set to false, allowing them to be accessed via JavaScript. This poses a security risk as it makes the cookies vulnerable to cross-site scripting (XSS) attacks.

Proposed Solution

To enhance security, the httpOnly flag for cookies should be set to true. This prevents client-side scripts from accessing the cookies, thereby mitigating the risk of XSS attacks. By enabling httpOnly, sensitive cookie data remains inaccessible to JavaScript, improving the overall security posture of the application.

aaronreed708 commented 4 months ago

You are right, we should take that precaution, though the only use we have for cookies currently is when running with basic auth on.

ravjot07 commented 4 months ago

we could also have anti CSRF protection which prevents cross site request forgery attacks.