Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve the cookieSecure config parameter #31

Merged

Conversation

antoninbas
Copy link
Contributor

We expose it in the Helm chart as security.cookieSecure. The default behavior when installing the Helm chart does not change: if HTTPS is enabled, it is set to true, otherwise it is set to false. However, by exposing it, we enable users who terminate TLS at Ingress (and hence keep HTTPS disabled in Antrea UI) to enable that option, which hardens security.

We also enable it by default in the Viper config, which does not really have an impact on users.

Note that it is not possible for a non-secure origin (HTTP website) to add the Secure attribute. Most modern browsers will not allow it and the cookie will be discarded. This is why we do not unconditionally set the Secure attribute. This restriction does not apply for localhost.

We expose it in the Helm chart as security.cookieSecure. The default
behavior when installing the Helm chart does not change: if HTTPS is
enabled, it is set to true, otherwise it is set to false. However, by
exposing it, we enable users who terminate TLS at Ingress (and hence
keep HTTPS disabled in Antrea UI) to enable that option, which hardens
security.

We also enable it by default in the Viper config, which does not really
have an impact on users.

Note that it is not possible for a non-secure origin (HTTP website) to
add the Secure attribute. Most modern browsers will not allow it and the
cookie will be discarded. This is why we do not unconditionally set the
Secure attribute. This restriction does not apply for localhost.

Signed-off-by: Antonin Bas <abas@vmware.com>
@antoninbas antoninbas requested review from tnqn and xliuxu May 16, 2023 02:13
@antoninbas antoninbas merged commit 1efcd84 into antrea-io:main May 16, 2023
@antoninbas antoninbas deleted the better-defaults-for-cookieSecure branch May 16, 2023 18:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant