Security: make CSRF cookie more secure

miguno · miguno · commit 4b3381f2c139 · 2025-04-26T11:32:29.000+02:00
To fix the following warnings:

1. Error:  Low: Sensitive data may be stored by the application in a
   cookie [com.miguno.migunos.filters.CustomCsrfFilter] At
   CustomCsrfFilter.java:[line 31] COOKIE_USAGE

2. Error:  Medium: Cookie without the HttpOnly flag could be read by a
   malicious script in the browser
   [com.miguno.migunos.filters.CustomCsrfFilter] At
   CustomCsrfFilter.java:[line 32] HTTPONLY_COOKIE

3. Error:  Medium: Cookie without the secure flag could be sent in clear
   text if an HTTP URL is visited
   [com.miguno.migunos.filters.CustomCsrfFilter] At
   CustomCsrfFilter.java:[line 32] INSECURE_COOKIE
diff --git a/src/main/java/com/miguno/javadockerbuild/security/CustomCsrfFilter.java b/src/main/java/com/miguno/javadockerbuild/security/CustomCsrfFilter.java
@@ -28,6 +28,8 @@ protected void doFilterInternal(
       if (cookie == null || token != null && !token.equals(cookie.getValue())) {
         cookie = new Cookie(CSRF_COOKIE_NAME, token);
         cookie.setPath("/");
+        cookie.setHttpOnly(true);
+        cookie.setSecure(true);
         response.addCookie(cookie);
       }
     }

Original file line number	Diff line number	Diff line change
`@@ -28,6 +28,8 @@ protected void doFilterInternal(`
`28`	`28`	`if (cookie == null \|\| token != null && !token.equals(cookie.getValue())) {`
`29`	`29`	`cookie = new Cookie(CSRF_COOKIE_NAME, token);`
`30`	`30`	`cookie.setPath("/");`
	`31`	`+ cookie.setHttpOnly(true);`
	`32`	`+ cookie.setSecure(true);`
`31`	`33`	`response.addCookie(cookie);`
`32`	`34`	`}`
`33`	`35`	`}`