Skip to content

Feature/is 9286 send custom header #8

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jul 3, 2024
Merged

Feature/is 9286 send custom header #8

merged 3 commits into from
Jul 3, 2024

Conversation

slunker
Copy link
Collaborator

@slunker slunker commented Jul 3, 2024

No description provided.

@slunker slunker force-pushed the feature/IS-9286-send-custom-header branch from f499a76 to 8bab0bd Compare July 3, 2024 05:58
gary-archer
gary-archer approved these changes Jul 3, 2024
View reviewed changes
Copy link

@gary-archer gary-archer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would maybe maybe copy in a brief comment to the README also, to promote developer understanding of security:

Cookie Security

  • SameSite=strict cookies are sent to APIs, which cannot be sent from malicious sites
  • To ensure that only precise whitelisted origins can send cookies to APIs, a 'token-handler-version': '1' header should be sent on every request to the OAuth Agent. In cross-origin deployments this ensures that a CORS preflight request authorizes access.

@luisgoncalves
Copy link
Contributor

I would maybe maybe copy in a brief comment to the README also, to promote developer understanding of security:

Cookie Security

* SameSite=strict cookies are sent to APIs, which cannot be sent from malicious sites

* To ensure that only precise whitelisted origins can send cookies to APIs, a 'token-handler-version': '1' header should be sent on every request to the OAuth Agent. In cross-origin deployments this ensures that a CORS preflight request authorizes access.

Saying "should be sent" may look like the developer needs to do something for this to happen when invoking the OAuth Agent, which is not the case because the library handles this, right? Developers still need to include the headers in API calls (i.e. via the OAuth Proxy); perhaps that's what you meant?

If so (and if the text is added), the text should probably be clear about both things.

@slunker
Copy link
Collaborator Author

slunker commented Jul 3, 2024

I updated the readme with your suggestions @gary-archer and @luisgoncalves

@slunker slunker merged commit 7e552a1 into main Jul 3, 2024
1 check passed
@slunker slunker deleted the feature/IS-9286-send-custom-header branch July 3, 2024 14:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@luisgoncalves luisgoncalves luisgoncalves approved these changes

@gary-archer gary-archer gary-archer approved these changes

Assignees

@luisgoncalves luisgoncalves

@gary-archer gary-archer

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@slunker @luisgoncalves @gary-archer