Commit b61cc5dd authored by Stan Hu's avatar Stan Hu

Enable the HttpOnly flag for experimentation_subject_id cookie

This mitigates some OWASP issues.

Closes https://gitlab.com/gitlab-org/gitlab/issues/34851
parent 5d2d1d79
---
title: Enable the HttpOnly flag for experimentation_subject_id cookie
merge_request: 19189
author:
type: security
...@@ -38,7 +38,8 @@ module Gitlab ...@@ -38,7 +38,8 @@ module Gitlab
cookies.permanent.signed[:experimentation_subject_id] = { cookies.permanent.signed[:experimentation_subject_id] = {
value: SecureRandom.uuid, value: SecureRandom.uuid,
domain: :all, domain: :all,
secure: ::Gitlab.config.gitlab.https secure: ::Gitlab.config.gitlab.https,
httponly: true
} }
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment