Implement secure cookies by default

[kdp-cloud]

• Use for secure cookies in a production environment
• Force SSL in production environment

[stuzart]

I'm not clear how this will affect running with docker and an nginx / apache front end forwarder. Will need some testing, possible ngnix configuration changes, and maybe an ENV variable to override.
For these reasons I think it might be better left for the main branch and next major version

[kdp-cloud]

I'm not clear how this will affect running with docker and an nginx / apache front end forwarder. Will need some testing, possible ngnix configuration changes, and maybe an ENV variable to override. For these reasons I think it might be better left for the main branch and next major version

I changed the branch to main and the milestone to 1.17, but I'm not sure you should override this config in production since this implicates security issues.

[stuzart]

I'm not clear how this will affect running with docker and an nginx / apache front end forwarder. Will need some testing, possible ngnix configuration changes, and maybe an ENV variable to override. For these reasons I think it might be better left for the main branch and next major version

I changed the branch to main and the milestone to 1.17, but I'm not sure you should override this config in production since this implicates security issues.

The docker containers always run in production, but are often used through http, e.g for testing, trying out seek, local installation behind a firewall or reverse proxy or load balancer.

I had a good look into this yesterday and some testing, and all is needed is the config.force_ssl, as this also sets the secure cookie https://api.rubyonrails.org/v7.2.2.1/classes/ActionDispatch/SSL.html, which also sets the HSTS (which I found afterwards blocked me from localhost:3000 and was a pain to remove, ending up needing to go to chrome://net-internals/#hsts and I'd be curious how this affects the http->https redirect as it being blocked by my browser )

You may also configure secure cookies separately through the apache or nginx config, which is what we do for https://fairdomhub.org - which may be preferable as it separates the application logic from deployment.

My conclusion is that it would be best to allow force_ssl to be turned on with an environment variable, but off by default, but update our docs and docker-compose file to recommend turning it on if deploying a production instance on the web, if the front end proxy hasn't already been configured instead. We can discuss this more in the meeting today.

[kdp-cloud]

As discussed:

• HSTS directive will be set on proxy level
• Secure cookies will be set on proxy level
• Enabling HSTS and secure cookies will described in the documentation (PR)
• The SameSite directive is defined application-side:
  • The session cookie is set to 'Lax' to permit external authentication like OAUTH2
  • Other cookies are set to 'Strict'