The openvas scan against grafana server revealed the cookie setting
Set-Cookie: redirect_to=%252F; Path=/
which is flagged as insecure because it does not have the ‘httponly’ attribute.
Is there a directive say in grafana.ini, similar to
cookie_secure = false
that can add such attribute? For example,
cookie_httponly = true
will result in
Set-Cookie: redirect_to=%252F; Path=/; HttpOnly
This will make grafana more pci compliant.
Thanks
Richard
Not currently, but this cookie is not used for anything security related.
The usual reply from the auditor is that even though this is not session
related, hackers can exploit this and redirect the url to some place
unintended. So the best practice is to not allow such exploitation for any
cookies. To keep the auditor happy we have to use an apache frontend to
rewrite this cookie. Hopefully this can get priority to be fixed in grafana
itself.
Thanks
Richard
This cookie might actually need to be created from the frontend