* the attribute version is obsolete, it will be ignored, please remove it to avoid potential confusion
Signed-off-by: Joost <439100+jvnoije@users.noreply.github.com>
* Add cookie-csrf-samesite option
Most of the code is copied form pull request #1947
Signed-off-by: Joost <439100+jvnoije@users.noreply.github.com>
* Update CHANGELOG.md
Signed-off-by: Joost <439100+jvnoije@users.noreply.github.com>
* Removed release information (review comment)
Signed-off-by: Joost <439100+jvnoije@users.noreply.github.com>
* All cookie variables in a struct
Signed-off-by: Joost <439100+jvnoije@users.noreply.github.com>
* doc: add changelog entry for #3347
Signed-off-by: Jan Larwig <jan@larwig.com>
* revert: unnecessary removal of docker compose version
Signed-off-by: Jan Larwig <jan@larwig.com>
* doc: sort csrf flags
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: Joost <439100+jvnoije@users.noreply.github.com>
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* feat: add feature support for cookie-secret-file
---------
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-Authored-By: Sandy Chen <Yuxuan.Chen@morganstanley.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* Allow setting maximum number of csrf cookies, deleting the oldest if necessary
* Add a test for multiple CSRF cookies to remove the old cookie
* Add docs/changelog
* If limit is <=0 do not clear
Signed-off-by: test <bert@transtrend.com>
* Better docs
Co-authored-by: Jan Larwig <jan@larwig.com>
* direct check of option value
Co-authored-by: Jan Larwig <jan@larwig.com>
* direct use of option value
Co-authored-by: Jan Larwig <jan@larwig.com>
* sort based on clock compare vs time compare
Co-authored-by: Jan Larwig <jan@larwig.com>
* clock.Clock does not implement Compare, fix csrf cookie extraction after rename
Signed-off-by: Bert Helderman <bert@transtrend.com>
* Linter fix
* add method signature documentation and slight formatting
Signed-off-by: Jan Larwig <jan@larwig.com>
* fix: test case for csrf cookie limit and flag
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: Bert Helderman <bert@transtrend.com>
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: test <bert@transtrend.com>
Co-authored-by: bh-tt <71650427+bh-tt@users.noreply.github.com>
* Allow multiple cookie domains to be specified
* Use X-Forwarded-Host, if it exists, when selecting cookie domain
* Perform cookie domain sorting in config validation phase
* Extract get domain cookies to a single function
* Update pkg/cookies/cookies.go
Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>
* Update changelog
Co-authored-by: Marcos Lilljedahl <marcosnils@gmail.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Values of 'lax' and 'strict' can improve and mitigate
some categories of cross-site traffic tampering.
Given that the nature of this proxy is often to proxy
private tools, this is useful to take advantage of.
See: https://www.owasp.org/index.php/SameSite
Joost
Sandy Chen
Jan Larwig
Nuno Miguel Micaelo Borges
Joel Speed
Eric Dahlseng
Paul Groudas