Secure cookie configuration

Hej guys

did a penetration test of my instance. It told there is a risk due to unsecure cookie which could be hijacked by XSS attack. I would like to pretend this risk by adding a line of code into nginx config. But I cannot find it as I use the docker installation.

Is someone out there who can give me a hint where to find the nginx config? In /etc/nginx/site-available is no discourse config used by nginx.

Any hint appreciated.

Kind regards
//neph

1 Like

Can you share the complete result of the penetration test?

I believe you are either running it incorrectly or misreading the report as both Discourse cookies have the secure flag:

2 Likes

Sure, here we go…

1 Like

That is just the destination_url cookie, used only during the login flow to store where the user wanted to go, so we can send him there after the login. And since it’s read on the EmberJS app for routing, it can’t contain the HTTP_ONLY flag.

You can learn more about all cookies in Discourse at List of cookies used by Discourse

3 Likes

This topic was automatically closed after 4 hours. New replies are no longer allowed.