Add configurable verification of HttpOnly cookies in JWTAuthentication filter
#7.025 aberto em 21 de mai. de 2019
Métricas do repositório
- Stars
- (27.997 stars)
- Métricas de merge de PR
- (Mesclagem média 8d) (378 fundiu PRs em 30d)
Description
Title: Add configurable verification of HttpOnly cookies in JWTAuthentication filter
Problem:
One of the methods to protect against XSS attacks and token theft in web apps is the HttpOnly cookie that is set by the server, and that is not accessible from Javascript. A digest of the cookie value is recorded in the token and is verified by the server when the browser sends a request.
Proposal:
It would be very useful for JWT Authentication filter to extract the value from the cookie, take a sha256 digest and verify that a claim with the corresponding value is in the token.
Headers:
Cookie: secure_key=secure_value_1234567890
Envoy config
verify_secure_cookie: key: "secure_key" transform: [sha256, plaintext] claim_name: "cookie_key"