Secure by Default

- switching on session only cookies by default - switching on the default denial by default
louketo · May 25, 2018 · a880189 · a880189
1 parent a2849c0
commit a880189
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 4 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,5 @@
 
-#### **2.1.2 (Unreleased)**
+#### **2.2.0 (Unreleased)**
 
 FEATURES:
 * Added a `--enable-default-deny` option to make denial by default [#PR320](https://github.com/gambol99/keycloak-proxy/pull/320)
@@ -31,6 +31,9 @@ FIXES:
 * Fixed the issue with a zero exp claim [#PR355](https://github.com/gambol99/keycloak-proxy/pull/355)
 * Added a method check for the hijacker [#PR302](https://github.com/gambol99/keycloak-proxy/pull/302)
 
+BREAKING CHANGES:
+* Making the cookies session only by default and turning the default denial on [#PR368](https://github.com/gambol99/keycloak-proxy/pull/368)
+
 #### **2.1.1**
 
 FEATURES:

diff --git a/README.md b/README.md
@@ -34,7 +34,7 @@ USAGE:
    keycloak-proxy [options]
 
 VERSION:
-   v2.1.1 (git+sha: c1e8399-dirty, built: 12-05-2018)
+   v2.2.0 (git+sha: 72a3646-dirty, built: 25-05-2018)
 
 AUTHOR:
    Rohith <gambol99@gmail.com>
@@ -252,7 +252,7 @@ bin/keycloak-proxy \
     --resources="uri=/public/*|white-listed=true"
 ```
 
-The **recommended** deployment to use a default denial to all requests via `--enable-default-deny=true` or `--resources="uri=/*"` and to then explicityly allow what you want through.
+Note from release 2.2.0 the `--enable-default-deny` is true by default and should explicityly allow what you want through.
 
 #### **HTTP Routing**
 
@@ -286,6 +286,10 @@ DEBU[0002] resource access permitted: /favicon.ico       access=permitted bearer
 2016-02-06 13:59:01.856716 I | http: proxy error: dial tcp 127.0.0.1:8081: getsockopt: connection refused
 ```
 
+#### **Session Only Cookies**
+
+By default the access and refresh cookies are session only and disposed of on broswer close; you can disable this feature via the `--enable-session-cookies` option.
+
 #### **Forward Signing Proxy**
 
 Forward signing provides a mechanism for authentication and authorization between services using tokens issued from the IDp. When operating with in the mode the proxy will automatically acquire an access token (handling the refreshing or logins on your behalf) and tag outbound requests with a Authorization header. You can control which domains are tagged with the --forwarding-domains option. Note, this option use a **contains** comparison on domains. So, if you wanted to match all domains under *.svc.cluster.local can and simply use: --forwarding-domain=svc.cluster.local.

diff --git a/config.go b/config.go
@@ -32,6 +32,8 @@ func newDefaultConfig() *Config {
 		CookieRefreshName:           "kc-state",
 		EnableAuthorizationCookies:  true,
 		EnableAuthorizationHeader:   true,
+		EnableDefaultDeny:           true,
+		EnableSessionCookies:        true,
 		EnableTokenHeader:           true,
 		Headers:                     make(map[string]string),
 		LetsEncryptCacheDir:         "./cache/",

diff --git a/doc.go b/doc.go
@@ -27,7 +27,7 @@ import (
 )
 
 var (
-	release  = "v2.1.1"
+	release  = "v2.2.0"
 	gitsha   = "no gitsha provided"
 	compiled = "0"
 	version  = ""