The default Set-Cookie header in Flask is not really secure. I've added the SESSION_COOKIE_SECURE variable within Flask (which makes sure the cookies are only present over HTTPS connections, client-side) but I also want to limit the cookie to a specific domain name (prevents cross-site requests, to some extent).
There is an option to do this within Flask, but I don't think it's compatible with the Flask-Session module we're using.
So I've configured Nginx to rewrite the HTTP header from the UWSGI response before the request is then finally sent to the user. I also made a copy of the default nginx.conf with HTTP only (only for testing, I used it to test the header rewrite). The rewrite basically just add SameSite=Strict to the Set-Cookie header from UWSGI.
The only backside of this is that it also applies to static content. So requesting the /static/css/style.css stylesheet also returns the Set-Cookie header but with only SameSite=Strict (so it isn't actually setting any cookies).
einarpersson
commented
4 years ago
The default
Set-Cookieheader in Flask is not really secure. I've added theSESSION_COOKIE_SECUREvariable within Flask (which makes sure the cookies are only present over HTTPS connections, client-side) but I also want to limit the cookie to a specific domain name (prevents cross-site requests, to some extent).There is an option to do this within Flask, but I don't think it's compatible with the Flask-Session module we're using.
So I've configured Nginx to rewrite the HTTP header from the UWSGI response before the request is then finally sent to the user. I also made a copy of the default
nginx.confwith HTTP only (only for testing, I used it to test the header rewrite). The rewrite basically just addSameSite=Strictto theSet-Cookieheader from UWSGI.The only backside of this is that it also applies to static content. So requesting the
/static/css/style.cssstylesheet also returns theSet-Cookieheader but with onlySameSite=Strict(so it isn't actually setting any cookies).Let me know if it works.