Skip to content

Questionable control 16 #21

New issue
New issue
Open
Open
Questionable control 16#21
@rndmh3ro

Description

@rndmh3ro
rndmh3ro
opened on Jan 31, 2018

Control 16 adds a check for set_cookie_flag. Looking at this option it seems you can only activate this if you use the nginx_cookie_flag_module. And to activate it you need to compile nginx from source.

I'm not sure that compiling nginx from source and using a third-party module really improves security, especially if you look at the problems this setting can cause: https://unix.stackexchange.com/a/307479

In my opinion this control should be deleted. Setting cookies should be part of a secure application, not the webserver.

control 'nginx-16' do
  impact 1.0
  title 'Set cookie with HttpOnly and Secure flag'
  desc 'You can mitigate most of the common Cross Site Scripting attack using HttpOnly and Secure flag in a cookie. Without having HttpOnly and Secure, it is possible to steal or manipulate web application session and cookies and it’s dangerous.'
  describe parse_config_file(nginx_hardening, options_add_header) do
    its('content') { should match(/^\s*set_cookie_flag * HttpOnly secure;$/) }
  end
end

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions