Closed curtisk closed 11 years ago
I'd considered adding this previously but wavered on the possible issues it may cause. On second thoughts though Ta :)
...the possible issues it may cause.
That's what nice about this boilerplate, it shows you whats available, gives a short explanation as to how/why, you can always opt to remove or comment out on your own deployment if it doesn't fit your use
@ChrisMcKee you want this setting written up and added to doc/README.md as well?
Please. Originally the BP contained just the web.server stuff (in keeping with the other configs); I added in the other bits / security headers / config to cover the rest. You do have to consider the people that will inevitably just copy and paste the lot without thinking about it or reading it though :)
Added httpCookies config which covers setting HttpOnly flag, toggle requiring SSL for cookies and setting domain for cookies
https://www.owasp.org/index.php/HttpOnly