-
-
Notifications
You must be signed in to change notification settings - Fork 983
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add secure cookies when remote is localhost #858
base: master
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -621,6 +621,25 @@ function hash(sess) { | |
*/ | ||
|
||
function issecure(req, trustProxy) { | ||
|
||
// socket is localhost | ||
if (req.connection.remoteAddress === '127.0.0.1' || | ||
req.connection.remoteAddress === '::ffff:127.0.0.1' || | ||
req.connection.remoteAddress === '::1' | ||
) { | ||
// if proxy is trusted; localhost connection is secure for sure | ||
if (trustProxy === true) { | ||
return true; | ||
} | ||
|
||
// proxy not explicitly trusted; no proxy means connection is secure | ||
if (req.headers['x-forwarded-proto'] !== undefined) { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Unfortunately this is also not a reliable test, because if the user does not trust the connection as a proxy, this header may not be set if not a proxy or may be forgable by the client. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Sorry I am not sure what you mean, maybe I am missing some possible network configuration? Since we detect a localhost connection we could trust the remote (reverse proxy or client) right? Please correct me if I am wrong There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Not unless the user of this module specifies they trust it. This fixed a reported security vulnerability. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Oh I see what you mean, so we can conclude that the only thing we can do is return true if the proxy is trusted and the connection is localhost, right? |
||
return true; | ||
} | ||
|
||
// proxy connected from localhost, we need to do other checks | ||
} | ||
|
||
// socket is https server | ||
if (req.connection && req.connection.encrypted) { | ||
return true; | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It wouldn't just be behind trust proxy, as you can still have a http connection though a proxy.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah my bad, does
node.js behind an HTTPS proxy and "trust proxy" in express
sound good?I also need to update the localhost one, specifying that "trust proxy" is also needed