Description
RapiDAST/ZAP security scan against RHDH 1.9.4 (Backstage 1.45.3) reports that the SameSite attribute is not set to lax or strict for auth cookies.
This was previously raised upstream in backstage/backstage#28162 but was closed as stale without a fix.
Affected cookies
Environment
- RHDH Version: 1.9.4
- Backstage Version: 1.45.3
- Scanner: RapiDAST / ZAP
Expected behavior
Auth cookies should set SameSite=Lax (or Strict when app and auth backend share the same origin) to mitigate CSRF attacks.
Suggested fix
Apply the fix in the Express configuration, e.g.:
// packages/backend/src/index.ts or similar
app.use(session({
cookie: { sameSite: 'lax', secure: true }
}));
Description
RapiDAST/ZAP security scan against RHDH 1.9.4 (Backstage 1.45.3) reports that the
SameSiteattribute is not set tolaxorstrictfor auth cookies.This was previously raised upstream in backstage/backstage#28162 but was closed as stale without a fix.
Affected cookies
refresh-tokenandgranted-scopecookies set inplugins/auth-node/src/oauth/OAuthCookieManager.tsbackstage-authcookie set inpackages/backend-defaults/src/entrypoints/httpAuth/httpAuthServiceFactory.ts— currently hardcoded tosameSite: 'none'Environment
Expected behavior
Auth cookies should set
SameSite=Lax(orStrictwhen app and auth backend share the same origin) to mitigate CSRF attacks.Suggested fix
Apply the fix in the Express configuration, e.g.: