Our documentation currently lacks clear explanation of how Pomerium handles authentication cookies in the proxy flow. Specifically, we should document that Pomerium automatically strips authentication cookies (_pomerium) before forwarding requests to upstream services. This is an important security feature that prevents credential replay attacks.
What's the resolution?
Add a new section in the security concepts documentation that:
Explains that Pomerium removes authentication cookies before forwarding requests
Describes why this is important (prevents credential replay attacks)
Notes this is automatic behavior requiring no configuration
Links to the implementation for those interested (clean-upstream.lua)
Pomerium automatically strips authentication cookies from requests before forwarding them to your upstream services. This security feature prevents credential replay attacks by ensuring that Pomerium's authentication cookies never reach your backend services.
Page: https://www.pomerium.com/docs/concepts/security
What's incorrect or missing
Our documentation currently lacks clear explanation of how Pomerium handles authentication cookies in the proxy flow. Specifically, we should document that Pomerium automatically strips authentication cookies (_pomerium) before forwarding requests to upstream services. This is an important security feature that prevents credential replay attacks.
What's the resolution?
Add a new section in the security concepts documentation that:
https://github.com/pomerium/pomerium/blob/main/config/envoyconfig/luascripts/clean-upstream.lua
Suggested documentation addition:
Pomerium automatically strips authentication cookies from requests before forwarding them to your upstream services. This security feature prevents credential replay attacks by ensuring that Pomerium's authentication cookies never reach your backend services.