Hi Frappe Community,
During a recent security review, the issue of Missing Cookie Attributes was flagged. Here are the details and feedback received:
Current Status:
- Cookies generated by Frappe already include essential attributes to safeguard against cookie-based attacks.
- While some attributes like
SecureandHttpOnlymight not always be explicitly visible, Frappe’s core functionality incorporates built-in protections via the Cookies Manager Class. - Further direct configuration of cookies is managed within the Frappe core and not customizable externally.
Feedback:
- Penetration Tester Recommendation:
- Explicitly enable the
SecureandHttpOnlyflags for all core cookies to enhance security further.
- Faircode Comment:
- These attributes are already handled by the Cookies Manager Class in Frappe core, implying they are included by default.
- Livelawbazar Feedback (30-11-24):
- Suggested creating a ticket for the core team to evaluate and confirm this implementation for transparency and thoroughness.
Proposal:
- Core Team Confirmation: Can the community or the Frappe core team confirm if all cookies in Frappe are consistently configured with
SecureandHttpOnlyflags across various deployment scenarios? - Documentation Update: If these attributes are already enforced, updating the documentation to explicitly mention this could address concerns and provide clarity to users and auditors.
Would it be appropriate to create a ticket for this topic, or are there other considerations we should be aware of? Your guidance would be invaluable.
Best regards,
Nakul P Kumar
Faircode Infotech Pvt. Ltd.