Improving Cookie Security
Defending your browser from CSRF attacks
To defend your browser from cross-site request forgery (CSRF) attacks , you can add a cookie same-site setting to FileCloud.
The cookie same-site value can be set to the following, as stated in the MDN Web Docs site at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite:
- Lax - Cookies are not sent on normal cross-site subrequests (for example to load images or frames into a third party site), but are sent when a user is navigating to the origin site (i.e., when following a link).
- Strict - Cookies will only be sent in a first-party context and not be sent along with requests initiated by third-party websites.
- None - Cookies will be sent in all contexts, i.e. in responses to both first-party and cross-origin requests. If SameSite=None is set, the cookie Secure attribute must also be set (or the cookie will be blocked).
To set the Secure attribute, see Adding httponly and secure flags, below.
For more information, see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite.
To specify a cookie same-site value:
- Open cloudconfig.php:
Windows Location: XAMPP DIRECTORY/htdocs/config/cloudconfig.php
Linux Location: /var/www/config/cloudconfig.php
To set the cookie same-site setting to strict, add:
To set the cookie same-site setting to lax (the default), add:
To set the cookie same-site setting to none, add:
Adding httponly and secure flags
You can take additional steps to make your cookies secure from external attacks by adding httponly and secure flags when sending cookies through HTTP headers.
What do httponly and secure flags do?
- Most sites are accessed by https, but some sites may also be accessed by http or some of their components may be sent through http. This leaves cookies vulnerable to being accessed over http. A secure flag prevents them from being accessed through http by only allowing them to be transmitted over https.
To configure FileCloud to always use the httponly and secure flags in HTTP headers:
- Open cloudconfig.php.
- Windows Location : C:\xampp\htdocs\config\cloudconfig.php
- Linux Location : /var/www/html/config/cloudconfig.php
Add the following:
define("TONIDOCLOUD_SECURE_COOKIE", 1); define("TONIDOCLOUD_HTTPONLY_COOKIE", 1);