Uploaded image for project: 'Camunda Optimize'
  1. Camunda Optimize
  2. OPT-2105 Protect Optimize from CSRF attacks
  3. OPT-1929

Add CSRF-Protection

XMLWordPrintable

    • Icon: Sub-task Sub-task
    • Resolution: Fixed
    • Icon: L3 - Default L3 - Default
    • 2.5.0-alpha1, 2.5.0
    • None
    • backend
    • None

      AT:

      • the optimize auth session cookie has the same site flag set to strict
      • this is also the case for SSO
      • in the documentation in the supported environments sections it is mentioned that only specific IE11 browser versions are supported
      • the same site cookie flag can be disabled via configuration

      Note:
      Setting the sameSite=strict might be a low-hanging fruit for CSRF protection on browsers that support it https://caniuse.com/#feat=same-site-cookie-attribute (yes even IE11).

        This is the controller panel for Smart Panels app

              Unassigned Unassigned
              sebastian.bathke Sebastian Bathke
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: