Fix auth session persistence with HttpOnly cookies and CSRF
This commit is contained in:
11
README.md
11
README.md
@@ -119,16 +119,17 @@ Remedy:
|
||||
- Add deny rules for those paths immediately and reload the proxy.
|
||||
- Verify those routes return `403` or `404` from untrusted networks.
|
||||
|
||||
### Medium: Bearer token is stored in browser `sessionStorage`
|
||||
### Medium: Auth session tokens are cookie-based
|
||||
|
||||
Avoid:
|
||||
- Enforce strict CSP and disallow inline script execution where possible.
|
||||
- Avoid rendering untrusted HTML or script-capable content in the frontend.
|
||||
- Keep dependencies patched to reduce known XSS vectors.
|
||||
- Keep frontend dependencies locked and scanned for known payload paths.
|
||||
- Treat any suspected script injection as a session risk and rotate bootstrap credentials immediately.
|
||||
|
||||
Remedy:
|
||||
- If XSS is suspected, revoke active sessions, rotate privileged credentials, and redeploy frontend fixes before restoring user access.
|
||||
- Treat exposed browser sessions as compromised until revocation and credential rotation are complete.
|
||||
- If script injection is suspected, revoke active sessions, rotate bootstrap credentials, and redeploy frontend fixes before restoring access.
|
||||
- Treat exposed sessions as compromised until revocation and credential rotation are complete.
|
||||
- Cookies are HttpOnly and cannot be read by JavaScript, but session scope still ends on server-side revocation and expiry controls.
|
||||
|
||||
### Low: Typesense transport defaults to HTTP on internal network
|
||||
|
||||
|
||||
Reference in New Issue
Block a user