Enable secure and httpOnly option for sessions

These are 2 measures for improving security of cookies. One is used to not send the cookie over HTTP (only HTTPS) and the other tells the browser to disallow client-side code accessing the cookie.
2017-10-15 16:34:39 +02:00 · 2017-10-15 16:34:39 +02:00 · 92b78f7c15
parent 6e3a9494ce
commit 92b78f7c15
7 changed files with 19 additions and 8 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -5,6 +5,8 @@ services:
    restart: always
    volumes:
      - ./config.template.yml:/etc/authelia/config.yml:ro
+    environment:
+      - NODE_TLS_REJECT_UNAUTHORIZED=0
    depends_on: 
      - redis
    networks:
--- a/example/authelia/docker-compose.yml
+++ b/example/authelia/docker-compose.yml
@ -6,6 +6,8 @@ services:
    volumes:
      - ./config.template.yml:/etc/authelia/config.yml:ro
      - ./notifications:/var/lib/authelia/notifications
+    environment:
+      - NODE_TLS_REJECT_UNAUTHORIZED=0
    depends_on: 
      - redis
    networks:
--- a/example/nginx/nginx.conf
+++ b/example/nginx/nginx.conf
@ -35,6 +35,7 @@ http {
            proxy_set_header  X-Original-URI $request_uri;
            proxy_set_header  Host $http_host;
            proxy_set_header  X-Real-IP $remote_addr;
+            proxy_set_header  X-Forwarded-Proto $scheme;

            proxy_pass        http://authelia/;

@ -73,6 +74,7 @@ http {
            internal;
            proxy_set_header  X-Original-URI $request_uri;
            proxy_set_header  X-Real-IP $remote_addr;
+            proxy_set_header  X-Forwarded-Proto $scheme;
            proxy_set_header  Host $http_host;
            proxy_set_header  Content-Length "";

@ -126,6 +128,7 @@ http {
            internal;
            proxy_set_header  X-Original-URI $request_uri;
            proxy_set_header  X-Real-IP $remote_addr;
+            proxy_set_header  X-Forwarded-Proto $scheme;
            proxy_set_header  Host $http_host;
            proxy_set_header  Content-Length "";

@ -162,6 +165,7 @@ http {
            internal;
            proxy_set_header  X-Original-URI $request_uri;
            proxy_set_header  X-Real-IP $remote_addr;
+            proxy_set_header  X-Forwarded-Proto $scheme;
            proxy_set_header  Host $http_host;
            proxy_set_header  Content-Length "";

@ -198,6 +202,7 @@ http {
            internal;
            proxy_set_header  X-Original-URI $request_uri;
            proxy_set_header  X-Real-IP $remote_addr;
+            proxy_set_header  X-Forwarded-Proto $scheme;
            proxy_set_header  Host $http_host;
            proxy_set_header  Content-Length "";

@ -234,6 +239,7 @@ http {
            internal;
            proxy_set_header  X-Original-URI $request_uri;
            proxy_set_header  X-Real-IP $remote_addr;
+            proxy_set_header  X-Forwarded-Proto $scheme;
            proxy_set_header  Host $http_host;
            proxy_set_header  Content-Length "";

--- a/server/src/index.ts
+++ b/server/src/index.ts
@ -1,7 +1,5 @@
 #! /usr/bin/env node

-process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
-
 import Server from "./lib/Server";
 import { GlobalDependencies } from "../types/Dependencies";
 import YAML = require("yamljs");
--- a/server/src/lib/Server.ts
+++ b/server/src/lib/Server.ts
@ -23,8 +23,8 @@ import * as http from "http";
 const addRequestId = require("express-request-id")();

 // Constants
-
 const TRUST_PROXY = "trust proxy";
+const X_POWERED_BY = "x-powered-by";
 const VIEWS = "views";
 const VIEW_ENGINE = "view engine";
 const PUG = "pug";
@ -54,9 +54,9 @@ export default class Server {
    app.use(BodyParser.json());
    app.use(deps.session(expressSessionOptions));
    app.use(addRequestId);
-    app.disable("x-powered-by");
+    app.disable(X_POWERED_BY);
+    app.enable(TRUST_PROXY);

-    app.set(TRUST_PROXY, 1);
    app.set(VIEWS, viewsDirectory);
    app.set(VIEW_ENGINE, PUG);

--- a/server/src/lib/configuration/SessionConfigurationBuilder.ts
+++ b/server/src/lib/configuration/SessionConfigurationBuilder.ts
@ -12,7 +12,8 @@ export class SessionConfigurationBuilder {
      resave: false,
      saveUninitialized: true,
      cookie: {
-        secure: false,
+        secure: true,
+        httpOnly: true,
        maxAge: configuration.session.expiration,
        domain: configuration.session.domain
      },
--- a/server/test/SessionConfigurationBuilder.test.ts
+++ b/server/test/SessionConfigurationBuilder.test.ts
@ -73,7 +73,8 @@ describe("test session configuration builder", function () {
      resave: false,
      saveUninitialized: true,
      cookie: {
-        secure: false,
+        secure: true,
+        httpOnly: true,
        maxAge: 3600,
        domain: "example.com"
      }
@ -153,7 +154,8 @@ describe("test session configuration builder", function () {
      resave: false,
      saveUninitialized: true,
      cookie: {
-        secure: false,
+        secure: true,
+        httpOnly: true,
        maxAge: 3600,
        domain: "example.com"
      },