Enable the HttpOnly flag for experimentation_subject_id cookie

This mitigates some OWASP issues. Closes https://gitlab.com/gitlab-org/gitlab/issues/34851

Enable the HttpOnly flag for experimentation_subject_id cookie
This mitigates some OWASP issues. Closes https://gitlab.com/gitlab-org/gitlab/issues/34851
b61cc5dd · Stan Hu · 5d2d1d79 · b61cc5dd · b61cc5dd
Commit b61cc5dd authored Oct 26, 2019 by Stan Hu
Showing with 7 additions and 1 deletion

changelogs/unreleased/sh-set-httponly-experimentation-subject-id.yml ...unreleased/sh-set-httponly-experimentation-subject-id.yml +5 -0

lib/gitlab/experimentation.rb lib/gitlab/experimentation.rb +2 -1

No files found.
--- a/changelogs/unreleased/sh-set-httponly-experimentation-subject-id.yml
+++ b/changelogs/unreleased/sh-set-httponly-experimentation-subject-id.yml
+---
+title: Enable the HttpOnly flag for experimentation_subject_id cookie
+merge_request: 19189
+author:
+type: security
--- a/lib/gitlab/experimentation.rb
+++ b/lib/gitlab/experimentation.rb
@@ -38,7 +38,8 @@ module Gitlab
        cookies.permanent.signed[:experimentation_subject_id] = {
          value: SecureRandom.uuid,
          domain: :all,
-          secure: ::Gitlab.config.gitlab.https
+          secure: ::Gitlab.config.gitlab.https,
+          httponly: true
        }
      end