Closed acasamassima86 closed 1 month ago
Hi there @acasamassima86!
Firstly, a big thank you for raising this issue. Every piece of feedback we receive helps us to make Umbraco better.
We really appreciate your patience while we wait for our team to have a look at this but we wanted to let you know that we see this and share with you the plan for what comes next.
We wish we could work with everyone directly and assess your issue immediately but we're in the fortunate position of having lots of contributions to work with and only a few humans who are able to do it. We are making progress though and in the meantime, we will keep you in the loop and let you know when we have any questions.
Thanks, from your friendly Umbraco GitHub bot :robot: :slightly_smiling_face:
Hi @acasamassima86 , thanks for reporting this. The reason that UMB_XSRF_TOKEN cookie not set as HTTP Only because the value needs to be read in JavaScript to ensure a correct XSRF token is supplied when doing API request, see MS docs: https://learn.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-8.0#javascript-ajax-and-spas
Which Umbraco version are you using? (Please write the exact version, example: 10.1.0)
13.3.2
Bug summary
Umbraco uses the UMB-XSRF-TOKEN cookie for CSRF protection. However, the cookie is not currently set as Secure, meaning it can be transmitted over HTTP. This could allow an attacker to intercept the cookie and use it to forge requests to the Umbraco server.
Specifics
Umbraco uses the UMB-XSRF-TOKEN cookie for CSRF protection. However, the cookie is not currently set as Secure, meaning it can be transmitted over HTTP. This could allow an attacker to intercept the cookie and use it to forge requests to the Umbraco server.
Steps to reproduce
Expected result / actual result
The UMB-XSRF-TOKEN cookie should be set as Secure (HTTP Only) Additional notes:
This issue has been reported previously: https://github.com/umbraco/Umbraco-CMS/issues/4138