From a7f6c83356f264477aefe2330a6bce3cb6f31fb4 Mon Sep 17 00:00:00 2001 From: Rohith Date: Thu, 12 Jul 2018 21:24:52 +0100 Subject: [PATCH] Http Only Cookie Default - changing the default to ensure the cookie is http only by default --- CHANGELOG.md | 5 ++++- config.go | 5 +++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4a39043fb..4c293957c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,11 +1,14 @@ -#### **2.2.3 (Unreleased)** +#### **2.3.0 (Unreleased)** FEATURES: * Added the ability to use a "any" operation on the roles rather then just "and" with the inclusion of a `require-any-role` [#PR389](https://github.com/gambol99/keycloak-proxy/pull/389) * Added a `--enable-request-id` option to inject a request id into the upstream request [#PR392](https://github.com/gambol99/keycloak-proxy/pull/392) * Added the ability for the proxy to generate self-signed certificates for use via the `--enable-self-signed-tls` [#PR394](https://github.com/gambol99/keycloak-proxy/pull/394) +BREAK CHANGES +* Added the http-cookie-only option as default true [#PR397](https://github.com/gambol99/keycloak-proxy/pull/397) + #### **2.2.2** FEATURES: diff --git a/config.go b/config.go index c43bb4b04..217524fdf 100644 --- a/config.go +++ b/config.go @@ -42,14 +42,15 @@ func newDefaultConfig() *Config { EnableDefaultDeny: true, EnableSessionCookies: true, EnableTokenHeader: true, - SelfSignedTLSHostnames: hostnames, - SelfSignedTLSExpiration: 3 * time.Hour, + HTTPOnlyCookie: true, Headers: make(map[string]string), LetsEncryptCacheDir: "./cache/", MatchClaims: make(map[string]string), OAuthURI: "/oauth", OpenIDProviderTimeout: 30 * time.Second, PreserveHost: false, + SelfSignedTLSExpiration: 3 * time.Hour, + SelfSignedTLSHostnames: hostnames, RequestIDHeader: "X-Request-ID", ResponseHeaders: make(map[string]string), SecureCookie: true,