[keycloak-dev] [KEYCLOAK-9127] CSRF support when using credentials in cookies
Bruno Oliveira
bruno at abstractj.org
Thu Oct 10 09:40:04 EDT 2019
Some time ago we got this PR for Gatekeeper:
https://github.com/keycloak/keycloak-gatekeeper/pull/446. But I'm
50/50 on this. Even though I think it's great to add extra protection
to Gatekeeper, we will end up with a new dependency and implementation
of something that apps could handle. Plus, the inclusion of SameSite
(https://github.com/keycloak/keycloak-gatekeeper/pull/482) helps to
mitigate CSRF.
If we take into consideration all the security threats that we have
today, probably dependencies like https://github.com/unrolled/secure
should also be included too.
At the moment, I'm leaning toward to reject this change, as I don't
see any real need for this, but if you have any thoughts, please let
me know.
--
- abstractj
More information about the keycloak-dev
mailing list