Cookies must be set with the Secure flag in HTTPS mode #657

New Issue

OVERLORD · 2026-02-04T21:37:17+03:00

OVERLORD commented

2026-02-04 21:37:17 +03:00

Originally created by @hardware on GitHub (May 1, 2018).

All cookies should be created such that their access is as limited as possible. This can help minimize damage from cross-site scripting (XSS) vulnerabilities, as these cookies often contain session identifiers or other sensitive information. Session cookies sent from secure sites must be explicitly marked as secure to prevent being obtained by active network attackers.

b0d027a4a9/config/session.php (L140-L151)

In HTTPS mode, all cookies must be set with the Secure flag, indicating that they should only be sent over an encrypted channel.

Can you add this parameter to the .env file to permit administrators to change the value ? Like this :

# .env

SESSION_COOKIE_SECURE=true

Hardenize report for demo.bookstackapp.com :

https://www.hardenize.com/report/demo.bookstackapp.com/1525132852#www_cookies

I use this workaround in my nginx virtual host until you make this change :

# Bookstack.conf

proxy_cookie_path / "/; Secure";

http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cookie_path

Originally created by @hardware on GitHub (May 1, 2018). All cookies should be created such that their access is as limited as possible. This can help minimize damage from cross-site scripting (XSS) vulnerabilities, as these cookies often contain session identifiers or other sensitive information. Session cookies sent from secure sites must be explicitly marked as secure to prevent being obtained by active network attackers. https://github.com/BookStackApp/BookStack/blob/b0d027a4a9f6b139bdfe697aabffaba5eeaaa5ba/config/session.php#L140-L151 In HTTPS mode, all cookies must be set with the Secure flag, indicating that they should **only** be sent over an encrypted channel. Can you add this parameter to the .env file to permit administrators to change the value ? Like this : ```ini # .env SESSION_COOKIE_SECURE=true ``` **Hardenize report for demo.bookstackapp.com :** https://www.hardenize.com/report/demo.bookstackapp.com/1525132852#www_cookies I use this workaround in my nginx virtual host until you make this change : ```nginx # Bookstack.conf proxy_cookie_path / "/; Secure"; ``` http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cookie_path

OVERLORD added the 🛠️ Enhancement 📖 Docs Update labels 2026-02-04 21:37:17 +03:00

OVERLORD closed this issue

2026-02-04 21:37:25 +03:00

OVERLORD commented

2026-02-04 21:37:30 +03:00

@ssddanbrown commented on GitHub (May 12, 2018):

Thanks @hardware for opening this issue.
I agree this would be good to have as a configurable option. Have marked to be in the next release.

@ssddanbrown commented on GitHub (May 12, 2018): Thanks @hardware for opening this issue. I agree this would be good to have as a configurable option. Have marked to be in the next release.

OVERLORD commented

2026-02-04 21:37:38 +03:00

@ssddanbrown commented on GitHub (May 20, 2018):

Now implemented, Will be in the next release.

@ssddanbrown commented on GitHub (May 20, 2018): Now implemented, Will be in the next release.

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#657