envoyproxy/envoy

Security posture status for Stateful Session filter

Open

#39.289 aberto em 1 de mai. de 2025

Ver no GitHub
 (9 comments) (0 reactions) (0 assignees)C++ (5.373 forks)batch import
area/securityarea/stateful_sessionhelp wantedno stalebotquestion

Métricas do repositório

Stars
 (27.997 stars)
Métricas de merge de PR
 (Mesclagem média 8d) (378 fundiu PRs em 30d)

Description

Need an update on the improvement in the security posture for HTTP Stateful Session filter.

While going through the documentation to use the HTTP Stateful Session filter feature (Refer- https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/http/stateful_session/cookie/v3/cookie.proto), a note saying below is found. Same note is mentioned for header based session persistence as well.

This extension is functional but has not had substantial production burn time, use only with this caveat.

This extension has an unknown security posture and should only be used in deployments where both the downstream and upstream are trusted.

Also in the threat model, cookie based session persistence extension is marked as 'Unknown' for its security. Refer - https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/threat_model#core-and-extensions:~:text=envoy.http.stateful_session.cookie%20(alpha)

Due to this, unable to use this feature in our product as there is support for both HTTP and HTTPS connection to the application.

Is there any plan to improve the security posture for this feature?

Guia do colaborador