Skip to content

Add secure and httponly options for cookies#812

Open
cpadlab wants to merge 3 commits into
bugy:masterfrom
cpadlab:feature/secure-cookies
Open

Add secure and httponly options for cookies#812
cpadlab wants to merge 3 commits into
bugy:masterfrom
cpadlab:feature/secure-cookies

Conversation

@cpadlab
Copy link
Copy Markdown

@cpadlab cpadlab commented Feb 19, 2026

I have added the option to configure Secure and HttpOnly flags for cookies, as this prevents potential cookie theft or unauthorized access via scripts.

I have been testing this implementation locally on a server, and it works perfectly. To use it, the user only has to update the security section in the configuration file.

Example change in conf/conf.json:

From this:

"security": {
    "xsrf_protection": "token"
}

To this:

"security": {
    "xsrf_protection": "header",
    "cookie_secure": true,
    "cookie_httponly": true
}

@bugy
Copy link
Copy Markdown
Owner

bugy commented Mar 24, 2026

Hi @cpadlab thanks!
Do you see any reason to make it configurable?
Can we just set these parameters for everyone?

@cpadlab
Copy link
Copy Markdown
Author

cpadlab commented Mar 24, 2026

Hi @cpadlab thanks! Do you see any reason to make it configurable? Can we just set these parameters for everyone?

Hi, I wanted to make it configurable to avoid issues with users deploying it on HTTP servers

@bugy
Copy link
Copy Markdown
Owner

bugy commented Mar 24, 2026

I see. I guess we can set "httponly" to true always
For secure attribute you are right. But I would still make the default option as true and users would need to opt in for unsecure cookies.

What do you think?

@cpadlab
Copy link
Copy Markdown
Author

cpadlab commented May 14, 2026

Hi @bugy , You're absolutely right, I've just pushed the new commits

knep pushed a commit to knep/script-server that referenced this pull request May 27, 2026
@claude
feat: GitHub Actions CI + secure/httponly cookies (PR bugy#812)
0fbc3cd 
## GitHub Actions CI (.github/workflows/ci.yml)
- Replace dead Travis CI with GitHub Actions workflow
- Matrix: Python 3.10, 3.11, 3.12 (fail-fast: false)
- Separate job for frontend tests (Node 20, npm ci)
- Uses pip cache and npm cache for faster runs

## Secure & HttpOnly cookies (upstream PR bugy#812 by @cpadlab)
- Add cookie_secure config option (default: true) in ServerConfig
- Set httponly=True on all session cookies (username, token,
  token_details, client_id_token)
- Respect cookie_secure flag on all set_secure_cookie calls
- Add xsrf_cookie_kwargs: httponly=True, samesite=Lax, secure=cookie_secure
- Fix test mocks: add application.server_config, accept **kwargs in
  set_secure_cookie (test_utils, ip_idenfication_test,
  test_auth_abstract_oauth, server_test)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cpadlab @bugy