Note: please note that Liferay has renamed its Liferay Experience
Could offerings to Liferay SaaS (formerly LXC) and
Liferay PaaS (formerly LXC-SM).
Issue
-
We have a security scan done on our application. Some of the Cookies do not have HTTPOnly, Secure and/or SameSite attributes. How can we apply these attributes to NGINX?
Environment
- Liferay DXP 7.4
- Liferay PaaS 4.x
Resolution
- Create an ssl.conf file in the
/webserver/configs/{env}/conf.dfolder. - Add
proxy_cookie_path / "/; HTTPOnly; Secure; SameSite=strict";to ssl.conf file. (Note: Here we use "strict" as an example. You may use appropriate value according to your use case.) - Deploy the build to your environment
- Check the cookies
- The LFR_SESSION_STATE is not flagged with HTTPOnly. The reason is explained in this article. The related code in 7.4 can be found here.
- The LFR_SESSION_STATE is not flagged with SameSite either. As this is JS cookie, the flag can only be set in Liferay code. We have a feature request LPS-133584 to implement this in the roadmap.