Implement anti csrf measures

This is done by using the "samesite" cookie attribute.
author: xXx-caillou-xXx 2017-11-24 14:03:37 +0100
committer: jvoisin 2017-11-24 14:03:37 +0100
commit: 5a224ee0c92d1639395d6a0c629316ae64226125 (patch)
tree: 8925d27e2bbfa877e9fb1fc20868fbef3d009b04 /doc/source/config.rst
parent: 79304a29661476dc75bba07c5a83133122bbcb5c (diff)
1 files changed, 22 insertions, 2 deletions
diff --git a/doc/source/config.rst b/doc/source/config.rst
index fc0df2d..c271403 100644
--- a/doc/source/config.rst
+++ b/doc/source/config.rst
@@ -115,6 +115,26 @@ It can either be ``enabled`` or ``disabled``.
  sp.auto_cookie_secure.enable();
  sp.auto_cookie_secure.disable();
+cookie_samesite
+^^^^^^^^^^^^^^^^
+ * `default: disabled`
+ 
+``samesite`` will add the `samesite <https://tools.ietf.org/html/draft-west-first-party-cookies-07>`_
+attribute to cookies. It `prevents CSRF <https://www.owasp.org/index.php/SameSite>`_
+but is not implemented by `all web browsers <https://caniuse.com/#search=samesite>`_ yet.
+It can either be set to ``strict`` or ``lax``:
+- The ``lax`` attribute prevents cookies from being sent cross-domain for
+  "dangerous" methods, like ``POST``, ``PUT`` or ``DELETE``.
+- The ``strict`` one prevents any cookies from beind sent cross-domain.
+::
+  sp.cookie.name("cookie1").samesite("lax");
+  sp.cookie.name("cookie2").samesite("strict");;
 .. _cookie-encryption_config:
 cookie_encryption
@@ -137,8 +157,8 @@ It can either be ``enabled`` or ``disabled`` and can be used in ``simulation`` m
 ::
-  sp.cookie_encryption.cookie("my_cookie_name");
+  sp.cookie.name("my_cookie_name").encrypt();
-  sp.cookie_encryption.cookie("another_cookie_name");
+  sp.cookie.name("another_cookie_name").encrypt();
 Choosing the proper environment variable
 """"""""""""""""""""""""""""""""""""""""
author	xXx-caillou-xXx	2017-11-24 14:03:37 +0100
committer	jvoisin	2017-11-24 14:03:37 +0100
commit	5a224ee0c92d1639395d6a0c629316ae64226125 (patch)
tree	8925d27e2bbfa877e9fb1fc20868fbef3d009b04 /doc/source/config.rst
parent	79304a29661476dc75bba07c5a83133122bbcb5c (diff)

diff --git a/doc/source/config.rst b/doc/source/config.rst index fc0df2d..c271403 100644 --- a/doc/source/config.rst +++ b/doc/source/config.rst
@@ -115,6 +115,26 @@ It can either be ``enabled`` or ``disabled``.
115	sp.auto_cookie_secure.enable();	115	sp.auto_cookie_secure.enable();
116	sp.auto_cookie_secure.disable();	116	sp.auto_cookie_secure.disable();
117		117
		118	cookie_samesite
		119	^^^^^^^^^^^^^^^^
		120	* `default: disabled`
		121
		122	``samesite`` will add the `samesite <https://tools.ietf.org/html/draft-west-first-party-cookies-07>`_
		123	attribute to cookies. It `prevents CSRF <https://www.owasp.org/index.php/SameSite>`_
		124	but is not implemented by `all web browsers <https://caniuse.com/#search=samesite>`_ yet.
		125
		126	It can either be set to ``strict`` or ``lax``:
		127
		128	- The ``lax`` attribute prevents cookies from being sent cross-domain for
		129	"dangerous" methods, like ``POST``, ``PUT`` or ``DELETE``.
		130
		131	- The ``strict`` one prevents any cookies from beind sent cross-domain.
		132
		133	::
		134
		135	sp.cookie.name("cookie1").samesite("lax");
		136	sp.cookie.name("cookie2").samesite("strict");;
		137
118	.. _cookie-encryption_config:	138	.. _cookie-encryption_config:
119		139
120	cookie_encryption	140	cookie_encryption
@@ -137,8 +157,8 @@ It can either be ``enabled`` or ``disabled`` and can be used in ``simulation`` m
137		157
138	::	158	::
139		159
140	sp.cookie_encryption.cookie("my_cookie_name");	160	sp.cookie.name("my_cookie_name").encrypt();
141	sp.cookie_encryption.cookie("another_cookie_name");	161	sp.cookie.name("another_cookie_name").encrypt();
142		162
143	Choosing the proper environment variable	163	Choosing the proper environment variable
144	""""""""""""""""""""""""""""""""""""""""	164	""""""""""""""""""""""""""""""""""""""""