Secure cookies & X-Frame-Options

Reply to Secure cookies & X-Frame-Options on Wed, 08 Sep 2021 14:25:54 GMT

scooke — Wed, 08 Sep 2021 14:25:54 GMT

@luckow Thanks for introducing me to this site (siwecos.de)!

Reply to Secure cookies & X-Frame-Options on Wed, 08 Sep 2021 11:42:55 GMT

nebulon — Wed, 08 Sep 2021 11:42:55 GMT

I've published a new app package which now has strict and secure cookies.

Regarding the X-Frame-Options, we used to have that in the platform but decided against supporting it, due to the overlap with CSP and thus having caused inconsistency and confusion depending on what the app sets on its own.

Reply to Secure cookies & X-Frame-Options on Wed, 08 Sep 2021 10:07:52 GMT

jimcavoli — Wed, 08 Sep 2021 10:07:52 GMT

@nebulon Also while X-Frame-Options is not as current as CSP, it's still considered best practice to get more complete coverage for that protection across browsers, especially older ones:

https://caniuse.com/contentsecuritypolicy2
https://caniuse.com/x-frame-options

At least, that's still the case for every audit and best practice list in the circles I'm in. It is still required by the latest ASVS 4.0.2 (criteria 14.4.7) as well (source: en / de). So I'd encourage both. While you're touching the session cookie, you can also probably go SameSite=Strict as well.

Reply to Secure cookies & X-Frame-Options on Mon, 06 Sep 2021 16:22:17 GMT

sanduhrs — Mon, 06 Sep 2021 16:22:17 GMT

@nebulon The cookies that are set aren't marked as secure.

Please also see: https://siwecos.de/wiki/Set-Cookie/EN

Reply to Secure cookies & X-Frame-Options on Mon, 06 Sep 2021 12:14:46 GMT

nebulon — Mon, 06 Sep 2021 12:14:46 GMT

@luckow what is missing regarding the cookie here?

For x-frame-options, this is obsolete and now done via CSP, see https://docs.cloudron.io/apps/#custom-csp how to configure that.