dev-sec
Questionable control 16
Control 16 adds a check for set_cookie_flag. Looking at this option it seems you can only activate this if you use the nginx_cookie_flag_module. And to activate it you need to compile nginx from source.
I'm not sure that compiling nginx from source and using a third-party module really improves security, especially if you look at the problems this setting can cause: https://unix.stackexchange.com/a/307479
In my opinion this control should be deleted. Setting cookies should be part of a secure application, not the webserver.
control 'nginx-16' do
impact 1.0
title 'Set cookie with HttpOnly and Secure flag'
desc 'You can mitigate most of the common Cross Site Scripting attack using HttpOnly and Secure flag in a cookie. Without having HttpOnly and Secure, it is possible to steal or manipulate web application session and cookies and it’s dangerous.'
describe parse_config_file(nginx_hardening, options_add_header) do
its('content') { should match(/^\s*set_cookie_flag * HttpOnly secure;$/) }
end
end
I've run into this issue as well and end up skipping this control across the board.
I'm also questioning nginx-14 since it's assuming the if test of $request_method has been added to /etc/nginx/nginx.conf. Since that kind of test needs to be inside a server block, I don't see how this test could ever work.
We could introduce attributes to make tests optional. If a test is not working, we should remove it
I think, making tests optional is a good idea! However I also think that this test should the be off by default (opt-in) since building nginx from source is IMO still not a good idea.
Thank you @woneill @rndmh3ro for bringing up that question. I agree that we should try to stick to vendor supported compiled versions and try to squeeze the most secure configuration out of it. If we change the default behavior, we need to bump it to 3.x
@atomic111 It like to get your perspective on that? We could make this an optional tests as @woneill has done in his PR #26