apache2: add secure flag header when enforce_ssl

The Secure attribute tells the browser to only send the cookie if the request is being sent over a secure channel such as HTTPS. This will help protect the cookie from being passed over unencrypted requests. Change-Id: I1ded951d79ad9fa832d1e88f656a1e064b1ef007 Closes-bug: #1822751 Signed-off-by: Sahid Orentino Ferdjaoui <sahid.ferdjaoui@canonical.com>
2019-04-02 12:14:23 +02:00 · 2019-04-02 12:14:23 +02:00 · 101098a1c2
commit 101098a1c2
parent 115790bac6
1 changed files with 1 additions and 0 deletions
--- a/templates/default-ssl
+++ b/templates/default-ssl
@ -44,6 +44,7 @@ NameVirtualHost *:{{ 443 }}
    SSLCertificateKeyFile /etc/apache2/ssl/{{ namespace }}/key_{{ endpoint }}
 {% if enforce_ssl %}
    Header set Strict-Transport-Security "max-age={{ hsts_max_age_seconds }}"
+    Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
 {% endif %}
    Header set X-XSS-Protection "1; mode=block"
    Header set X-Content-Type-Options "nosniff"