did a penetration test of my instance. It told there is a risk due to unsecure cookie which could be hijacked by XSS attack. I would like to pretend this risk by adding a line of code into nginx config. But I cannot find it as I use the docker installation.
Is someone out there who can give me a hint where to find the nginx config? In /etc/nginx/site-available is no discourse config used by nginx.
That is just the destination_url cookie, used only during the login flow to store where the user wanted to go, so we can send him there after the login. And since it’s read on the EmberJS app for routing, it can’t contain the HTTP_ONLY flag.