Trusted header auth security #7229
Replies: 1 comment
-
Please note this response was created using generative AI leveraging previously available information from the repository. This information may be helpful however it is our strong recommendation that you carefully consider the information before blindly applying it. Authelia does implement several measures to mitigate CSRF (Cross-Site Request Forgery) attacks, particularly through the use of cookies configured with security-focused attributes. According to the provided documentation, Authelia sets cookies with the
While these settings provide a robust defense against many types of web-based attacks, including CSRF, the effectiveness can depend on the specific configuration and deployment scenario. For instance, if an application has a XSS vulnerability, it could still potentially be exploited in other ways, even if the cookie itself is protected. For applications running on different subdomains where If you are particularly concerned about CSRF attacks in a multi-subdomain environment, you might consider setting the This comment was generated by Glime. |
Beta Was this translation helpful? Give feedback.
-
Header SSO provides a really nice UX for apps that support it. You can have multiple apps running on different subdomains, and only need to authenticate once with the auth server to be automatically logged into all of them.
However, there's a potential CSRF issue, because apps on different subdomains are considered to be the same "site". This means that cookies which use SameSite=Lax or Strict don't block requests between apps. So if you have an evil app, or one with a XSS vulnerability, your apps aren't safe from each other.
Does Authelia have any protections against this?
Beta Was this translation helpful? Give feedback.
All reactions