仓库指标
- Star
- (27,997 star)
- PR 合并指标
- (平均合并 8天) (30 天内合并 378 个 PR)
描述
Need an update on the improvement in the security posture for HTTP Stateful Session filter.
While going through the documentation to use the HTTP Stateful Session filter feature (Refer- https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/http/stateful_session/cookie/v3/cookie.proto), a note saying below is found. Same note is mentioned for header based session persistence as well.
This extension is functional but has not had substantial production burn time, use only with this caveat.
This extension has an unknown security posture and should only be used in deployments where both the downstream and upstream are trusted.
Also in the threat model, cookie based session persistence extension is marked as 'Unknown' for its security. Refer - https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/threat_model#core-and-extensions:~:text=envoy.http.stateful_session.cookie%20(alpha)
Due to this, unable to use this feature in our product as there is support for both HTTP and HTTPS connection to the application.
Is there any plan to improve the security posture for this feature?