[DOCU-2922] Security best practices - No information on how to configure Cookie HttpOnly and Secure flags Created: 19/Nov/23  Updated: 23/Nov/23  Resolved: 23/Nov/23

Status: Closed
Project: Documentation
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Neutral
Reporter: Raymond Tran Assignee: Adrian Brooks
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Documentation page URL: https://docs.magnolia-cms.com/product-docs/6.2/Administration/Security/Security-best-practices.html

 Description   

Our Security best practices document contains the following guidance

Enforce HTTPS for JSESSIONID cookies by setting secure to true in web.xml. Consider also enabling the httpOnly setting. Make sure you understand the impact of those settings on local development without a certificate.

It does not however state how the Cookie HttpOnly and Secure flags can be configured in Magnolia.

This can cause ambiguity such as the case where a partner has stated that it is the responsibility of Magnolia to define these settings in Magnolia Bundle's Tomcat web.xml when it is in fact possible to define the configuration values in the Maven project.



 Comments   
Comment by Adrian Brooks [ 23/Nov/23 ]

Note added about the configuration in Magnolia here: https://docs.magnolia-cms.com/product-docs/6.2/Administration/Security/Security-best-practices.html#_servlet_container_and_web_server_configuration

Generated at Mon Feb 12 01:31:31 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.