envoyproxy/envoy

Add configurable verification of HttpOnly cookies in JWTAuthentication filter

Open

#7,025 建立於 2019年5月21日

在 GitHub 查看
 (25 留言) (4 反應) (0 負責人)C++ (5,373 fork)batch import
enhancementhelp wanted

倉庫指標

Star
 (27,997 star)
PR 合併指標
 (平均合併 8天) (30 天內合併 378 個 PR)

描述

Title: Add configurable verification of HttpOnly cookies in JWTAuthentication filter

Problem:

One of the methods to protect against XSS attacks and token theft in web apps is the HttpOnly cookie that is set by the server, and that is not accessible from Javascript. A digest of the cookie value is recorded in the token and is verified by the server when the browser sends a request.

Proposal:

It would be very useful for JWT Authentication filter to extract the value from the cookie, take a sha256 digest and verify that a claim with the corresponding value is in the token.

Headers:

Cookie: secure_key=secure_value_1234567890

Envoy config

verify_secure_cookie: key: "secure_key" transform: [sha256, plaintext] claim_name: "cookie_key"

貢獻者指南