http icon indicating copy to clipboard operation
http copied to clipboard
verified publisher icon nette

Allow users to change cookieNameStrict in configuration

Open nargotik opened this issue 5 years ago • 3 comments

  • new feature? Security enhancement by leting users choose to change nette-samesite cookie name

#182

Allow users to change cookie name is a security enhancement because sometimes there is no need to say site users what technology site is using.

http: cookieNameStrict: fancyname-samesite

  • BC break? no
  • doc PR: nette/docs#???

nargotik avatar Dec 06 '20 23:12 nargotik

At the moment, it is difficult to make a clean solution, so I'll implement it in the next bigger version.

However, in nette/http 3.1 the name has changed to _nss which is not so noticeable.

dg avatar Jan 05 '21 21:01 dg

@dg Ty for the reply, I think that having nette in cookie name is not bad, the bad thing is dont give the dev the flexibility of changing it just because of security.

Normally is a good behavior to dont pass all informations about what is running the system to a possible attacker, even if is _nss it gaves a clue to the possible attacker that is using a nette/http > 3.1

nargotik avatar Jan 05 '21 22:01 nargotik

I understand that, I am leaving the issue open.

dg avatar Jan 05 '21 22:01 dg