Set secure flag on all cookies
A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.
Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.
The cookie 'payload' that I received was: 31d0051f82cb15f205e311d665237ae8; path=/; expires=Sun, 23-Oct-2016 00:25:31 GMT; HttpOnly
see: https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)
This currently is based on the rails setting of force_ssl. It also turns on hsts - which we do not want for self signed certs.
After upgrading to rails5 we will be able to enforce secure cookies without enforcing hsts.
(from redmine: created on 2016-10-24)
- Relations:
- blocks #8584