search

mdn / mdn-http-observatory

Backend for HTTP Observatory on MDN
https://developer.mozilla.org/en-US/observatory
Mozilla Public License 2.0
10 stars 4 forks source link

AWS load balancer cookies are not secure and there is no way to change that #40

Closed argl closed 1 week ago

argl commented 1 month ago

What information was incorrect, unhelpful, or incomplete?

From user feedback:

Would it be possible for the HTTP Observatory report to acknowledge that it is impossible to enable secure cookie flag on AWS Cloudfront cookies?

The scan gives −5 for something that we have no control over.

What did you expect to see?

Something to remedy the situation.

Do you have any supporting links, references, or citations?

https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-sticky-sessions.html#:~:text=You%20can%27t%20set%20the%20secure%20flag%20or%20HttpOnly

Do you have anything more you want to share?

No response

github-actions[bot] commented 1 month ago

It looks like this is your first issue. Welcome! 👋 One of the project maintainers will be with you as soon as possible. We appreciate your patience. To safeguard the health of the project, please take a moment to read our code of conduct.

argl commented 1 week ago

After some internal discussions it was decided that we will not change the current behaviour for the time being. There are generally multiple issues with CDN providers and WAFs that cannot be easily and transparently solved. We currently do not have the resources to maintain, document and track CDN peculiarities. Sorry if this is not too helpful for your situation, but consider scanning the origin server instead, bypassing the CDN.