Comments (4)
Hi, we already set some of the mentioned cookie flags and some flags we deliberately do not set.
SameSite: Strict
: already set forsessionid
andcsrftoken
HttpOnly
: Set forsessionid
. Not set forcsrftoken
because this cookie needs to be readable by JS. CSRF tokens do not require theHttpOnly
flag to protect against CSRF attacks.Secure
: Currently not set. We will add them. Thanks for noticing.Path
: SysReptor does not support running on a subpath, so we do not set this flag.Domain
: This flag is deliberately unset such that browsers send this cookie only to the domain that set it. Cookies are only valid for a single SysReptor instance. There is no need to send cookies to other domains.Expires
: This flag is deliberately unset to use session cookies that are discarded when the browser is closed. The backend enforces session timeout of 14 hours.
from sysreptor.
Thank you for your very swift feedback! Those are very clear statement.
I'm happy that I could at least contribute the suggestion of the Secure
flag. For the others, I understand why you cannot / will not implement them.
And thank you for noting that SysReptor does not support running on sub-paths. That's important for us to know! All the more reason to give it its own DNS entry and vhost.
from sysreptor.
Reopening for tracking the resolution.
For Secure
attribute, we must check if the installation runs via https, because this might not be the case for local installations.
from sysreptor.
Implemented in https://github.com/Syslifters/sysreptor/releases/tag/2024.49
We introduced the SECURE_SSL_REDIRECT
setting to configure that SysReptor should only be accessible via https. All http requests will be redirected to https and Secure
flags will be set for cookies. Reverse proxies should set the HTTP header X-Forwarded-Proto: https
to signal that incoming requests were TLS-protected https requests.
from sysreptor.
Related Issues (20)
- [Feature Request] Add German-style quotation marks („“) to the Markdown editor menu HOT 1
- Collaborative Editing in History Diff-View HOT 1
- Some Emojis break Notes HOT 2
- Websocket Issue HOT 2
- Websocket Desync/Timeout results in losing writing progress HOT 2
- Easy way to create an asset-to-finding table at end of report? HOT 7
- Files in PDFs always point to pdf.sysreptor.com HOT 4
- Simple way to create a Risk Heatmap using the list of findings? HOT 2
- Feature Request: Automatic Pentest Numbering HOT 1
- Predefined finding fields not created with API HOT 1
- Warnings on run command HOT 2
- Feature Request: No output on backup command HOT 2
- Docs: Backup site should include --rm switch HOT 2
- Image button not consistently present in Markdown editor HOT 6
- Users page accessible without superuser mode HOT 1
- reportcreator_api.archive.crypto.base.CryptoError: Either a key or a multiple available keys must be given HOT 3
- reptor burp error not upload note or templet HOT 25
- Loading additional templates error HOT 2
- update.sh breaks execute right / crontab docu update HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sysreptor.