Resolve "Use SameSite strict attribute setting for cookies" (!130) · Merge requests · HealthTech / WeVisit

Georgios Andreadis requested to merge 148-use-samesite-strict-attribute-setting-for-cookies into development Apr 22, 2020

Sets the SameSite=strict header for all cookies on signin. Sadly, this is not yet the default for Spring, but until it is, we have to add this workaround. An exception for this is the language cookie (set somewhere else, and more difficult to set), but since there is no conceivable attack vector that involves changing the language, we don't need to change it's header. The most important one is JSESSIONID; by making sure that it's SameSite, we prevent CSRF.

Closes #148 (closed)

Edited Apr 22, 2020 by Georgios Andreadis

Resolve "Use SameSite strict attribute setting for cookies"

Merge request reports