-
-
Notifications
You must be signed in to change notification settings - Fork 246
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Support for Setting HttpOnly and Secure Flags on NEXT_LOCALE Cookie #1268
Comments
Hey @Michael-Grupp, thank you for your thoughtful report!
I agree, ideally |
Hey @amannn, thank you for the quick response and for addressing the Regarding the Out of curiosity, do you know if there's an issue on Next.js that specifically tracks the behavior of the Router Cache in relation to cookies? It would be helpful to monitor any progress on this front so I can revisit the possibility of setting the Thanks again for your work on this and for considering these enhancements to next-intl. |
Thinking this through again, I think there could be two cases where users might use HTTP:
I also did some research, and found an article on the usage of the
This makes me reconsider if setting the Potentially, we could instead offer an opt-in configuration option (related to #454 (comment)). I made a note about this in #779 to consider for the next major version. For the time being, you can consider modifying the cookie after a response has been generated if this is important to you with something like this: import {NextRequest} from 'next/server';
import createMiddleware from 'next-intl/middleware';
const handleI18nRouting = createMiddleware(/* ... */);
export default function middleware(request: NextRequest) {
const response = handleI18nRouting(request);
if (response.cookies.get('NEXT_LOCALE')) {
// Set the `secure` flag
response.cookies.set(
'NEXT_LOCALE',
response.cookies.get('NEXT_LOCALE').value,
{
...response.cookies.get('NEXT_LOCALE'),
secure: true
}
);
}
return response;
} (not tested) Does this make sense to you?
They're making a lot of changes to caching in Next.js 15, might be worth keeping an eye on the release notes! |
Thank you for the thoughtful response and for providing additional context. I appreciate the detailed considerations regarding the Secure flag. Your points about local development and internal communication are well taken, and I understand how enforcing the Secure flag could present challenges in these scenarios. The comparison with Jaspersoft's approach to non-sensitive cookies also makes sense, especially for user preferences like locale. The idea of offering an opt-in configuration option for the Secure flag sounds like a practical solution. This would provide flexibility and allow developers to tailor the security settings according to their specific use cases. In the meantime, I’ll consider modifying the cookie after the response if necessary to meet our security requirements. I look forward to any updates related to this in future versions of next-intl. Thank you again for your time and for considering these aspects. |
Update: A new Edit: I noticed there's a bug in the current implementation of the |
Re #454 (comment): Ok, a new The proposed docs have been updated accordingly. |
Thanks for fixing this issue |
Is your feature request related to a problem? Please describe.
Yes, the issue is that the cookie set by
next-intl
does not have theHttpOnly
flag. This can present a security risk because cookies without this flag are accessible via JavaScript, which could potentially be exploited by cross-site scripting (XSS) attacks.Additionally, when running security tests, such as with Mozilla Observatory, the cookie set by
next-intl
is flagged because it does not have theSecure
flag. While transmission over HTTP is prevented by HSTS, adding theSecure
flag would ensure that the cookie is only sent over HTTPS, providing an additional layer of security.Describe the solution you'd like
I would like the
next-intl
library to support setting theHttpOnly
andSecure
flags on the cookies it creates. Specifically:HttpOnly
flag should be added to prevent client-side scripts from accessing the cookies, reducing the risk of XSS attacks.Secure
flag should be set on cookies to ensure they are only sent over HTTPS, even when HSTS is enabled.The implementation could involve adding options to the existing cookie configuration, allowing developers to easily enable these flags as needed.
Describe alternatives you've considered
One alternative is to manually set these flags on the cookies after they are created by
next-intl
, but this approach is less desirable because:The text was updated successfully, but these errors were encountered: