Skip to content

Commit a472682

Browse files
ErykKulErykKul
committed
docs: build fix
1 parent 4901a57 commit a472682

1 file changed

Lines changed: 6 additions & 4 deletions

File tree

doc/sphinx-guides/source/installation/config.rst

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -3940,7 +3940,7 @@ By itself, this feature flag does not enable CSRF protections. For stricter prot
39403940
.. _dataverse.feature.api-session-auth-hardening:
39413941

39423942
dataverse.feature.api-session-auth-hardening
3943-
+++++++++++++++++++++++++++++++++++++++++++
3943+
++++++++++++++++++++++++++++++++++++++++++++
39443944

39453945
Enables additional hardening for session-cookie API usage. This flag only has an effect when ``dataverse.feature.api-session-auth`` is also enabled.
39463946
The rules are based on request authentication mechanism (session cookie), not on the identity provider used to create the session
@@ -3953,20 +3953,21 @@ When enabled, Dataverse applies these protections for requests authenticated via
39533953
- Blocks session-cookie auth access to mutating ``/api/access/*`` endpoints (except the batch download POST above).
39543954
- Requires strict Origin/Referer validation plus the ``X-Dataverse-CSRF-Token`` header on:
39553955
- state-changing API calls (``POST``, ``PUT``, ``PATCH``, ``DELETE``) outside the ``/api/access`` compatibility rules above,
3956-
- and the two known mutating ``GET`` calls:
3957-
``/api/datasets/{id}/uploadurls`` and ``/api/datasets/{id}/cleanStorage``.
3956+
- and the two known mutating ``GET`` calls: ``/api/datasets/{id}/uploadurls`` and ``/api/datasets/{id}/cleanStorage``.
39583957
- Exposes ``/api/users/:csrf-token`` for authenticated session-cookie clients to retrieve the CSRF token.
39593958

39603959
.. _session-cookie-hardening-guidance:
39613960

3962-
Session-cookie hardening deployment guidance:
3961+
Session-cookie hardening deployment guidance
3962+
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
39633963

39643964
- Use HTTPS end-to-end (or trusted TLS termination before Dataverse).
39653965
- Ensure JSESSIONID cookies are set with ``Secure`` and ``HttpOnly``.
39663966
- Use ``SameSite=Lax`` (recommended default) or ``SameSite=Strict`` if your login/redirect flow supports it.
39673967
``SameSite=Strict`` can break some cross-site IdP/login return flows.
39683968

39693969
How to verify and set ``JSESSIONID`` cookie flags (Payara)
3970+
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
39703971

39713972
- Verify cookie flags from a response header:
39723973

@@ -3995,6 +3996,7 @@ How to verify and set ``JSESSIONID`` cookie flags (Payara)
39953996
After changing these settings, restart Payara and re-check the response headers.
39963997

39973998
Session-Cookie Hardening vs Bearer Token Auth
3999+
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
39984000

39994001
- Session-cookie auth and bearer-token auth use different trust models. Session cookie
40004002
(``JSESSIONID``) is automatically sent by browsers, while bearer token is sent only when the

0 commit comments

Comments
 (0)