Hello,
We are using Orejime v3 on a site and want to enhance the security of Orejime cookies according to OWASP Top 10 best practices, particularly for:
- Protection against Security Misconfiguration (A5) and Sensitive Data Exposure (A3).
- Reducing risks associated with browser-exposed cookies.
Source : https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes
Our goals:
Add the __Secure- prefix to Orejime cookies.
Enable the Secure attribute so cookies are only sent over HTTPS.
Set SameSite=Lax to reduce CSRF risks.
Issue:
Currently, Orejime JS creates the cookie on the client side, but there is no option to set Secure or SameSite when creating the cookie.
Questions for the maintainer:
- Is there an official way to create Orejime cookies with __Secure- and Secure?
- Are there plans to provide a configuration option or a JS hook/event to set SameSite and Secure attributes?
- If not currently possible, what approach do you recommend to make Orejime cookies secure on the client side while remaining compatible with the library’s normal behavior?
Thank you for your guidance and support.
Hello,
We are using Orejime v3 on a site and want to enhance the security of Orejime cookies according to OWASP Top 10 best practices, particularly for:
Source : https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes
Our goals:
Add the __Secure- prefix to Orejime cookies.
Enable the Secure attribute so cookies are only sent over HTTPS.
Set SameSite=Lax to reduce CSRF risks.
Issue:
Currently, Orejime JS creates the cookie on the client side, but there is no option to set Secure or SameSite when creating the cookie.
Questions for the maintainer:
Thank you for your guidance and support.