Details
-
Improvement
-
Resolution: Done
-
Neutral
-
None
-
None
-
None
-
None
Description
Our Security best practices document contains the following guidance
Enforce HTTPS for JSESSIONID cookies by setting secure to true in web.xml. Consider also enabling the httpOnly setting. Make sure you understand the impact of those settings on local development without a certificate.
It does not however state how the Cookie HttpOnly and Secure flags can be configured in Magnolia.
This can cause ambiguity such as the case where a partner has stated that it is the responsibility of Magnolia to define these settings in Magnolia Bundle's Tomcat web.xml when it is in fact possible to define the configuration values in the Maven project.
Checklists
Acceptance criteria