From 765ef4996cfecd378bde9f2bb9c6c66f6f254757 Mon Sep 17 00:00:00 2001 From: Carlos Padilla Labella Date: Thu, 19 Feb 2026 16:58:45 +0100 Subject: [PATCH 1/2] Add secure and httponly options for cookies --- src/auth/identification.py | 4 +++- src/auth/tornado_auth.py | 3 ++- src/model/server_conf.py | 4 ++++ src/web/server.py | 5 +++++ 4 files changed, 14 insertions(+), 2 deletions(-) diff --git a/src/auth/identification.py b/src/auth/identification.py index ab265525..3d60629f 100644 --- a/src/auth/identification.py +++ b/src/auth/identification.py @@ -116,7 +116,9 @@ def _read_client_token(self, request_handler): def _write_client_token(self, client_id, request_handler): expiry_time = date_utils.get_current_millis() + days_to_ms(self.EXPIRES_DAYS) new_token = client_id + '&' + str(expiry_time) - request_handler.set_secure_cookie(self.COOKIE_KEY, new_token, expires_days=self.EXPIRES_DAYS) + server_config = request_handler.application.server_config + request_handler.set_secure_cookie( + self.COOKIE_KEY, new_token, expires_days=self.EXPIRES_DAYS, secure=server_config.cookie_secure, httponly=server_config.cookie_httponly) def _can_write(self, request_handler): return can_write_secure_cookie(request_handler) diff --git a/src/auth/tornado_auth.py b/src/auth/tornado_auth.py index 05b741a0..1fa35d0f 100644 --- a/src/auth/tornado_auth.py +++ b/src/auth/tornado_auth.py @@ -88,7 +88,8 @@ def authenticate(self, request_handler): LOGGER.info('Authenticated user ' + username) - request_handler.set_secure_cookie('username', username, expires_days=self.authenticator.auth_expiration_days) + server_config = request_handler.application.server_config + request_handler.set_secure_cookie('username', username, expires_days=self.authenticator.auth_expiration_days, httponly=server_config.cookie_httponly, secure=server_config.cookie_secure) path = tornado.escape.url_unescape(request_handler.get_argument('next', '/')) diff --git a/src/model/server_conf.py b/src/model/server_conf.py index c3cf0de3..51788e5b 100644 --- a/src/model/server_conf.py +++ b/src/model/server_conf.py @@ -45,6 +45,8 @@ def __init__(self) -> None: self.xsrf_protection = None # noinspection PyTypeChecker self.env_vars: EnvVariables = None + self.cookie_secure = True + self.cookie_httponly = True def get_port(self): return self.port @@ -201,6 +203,8 @@ def from_json(conf_path, temp_folder): security = model_helper.read_dict(json_object, 'security') + config.cookie_secure = model_helper.read_bool_from_config('cookie_secure', security, default=True) + config.cookie_httponly = model_helper.read_bool_from_config('cookie_httponly', security, default=True) config.allowed_users = _prepare_allowed_users(allowed_users, admin_users, user_groups) config.alerts_config = json_object.get('alerts') config.callbacks_config = json_object.get('callbacks') diff --git a/src/web/server.py b/src/web/server.py index 08c4389d..693f7eca 100755 --- a/src/web/server.py +++ b/src/web/server.py @@ -864,6 +864,11 @@ def init(server_config: ServerConfig, 'websocket_ping_timeout': 300, 'compress_response': True, 'xsrf_cookies': server_config.xsrf_protection != XSRF_PROTECTION_DISABLED, + 'xsrf_cookie_kwargs': { + 'httponly': server_config.cookie_httponly, + 'secure': server_config.cookie_secure, + 'samesite': 'Lax' + }, } application = tornado.web.Application(handlers, **settings) From 02461d6347b8df72dd41b3c9fb136864ec1adf0b Mon Sep 17 00:00:00 2001 From: Carlos Padilla <105047274+cpadlab@users.noreply.github.com> Date: Thu, 19 Feb 2026 17:09:14 +0100 Subject: [PATCH 2/2] Style: reformat cookie security flags for better readability --- src/auth/identification.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/auth/identification.py b/src/auth/identification.py index 3d60629f..ef52b936 100644 --- a/src/auth/identification.py +++ b/src/auth/identification.py @@ -117,8 +117,7 @@ def _write_client_token(self, client_id, request_handler): expiry_time = date_utils.get_current_millis() + days_to_ms(self.EXPIRES_DAYS) new_token = client_id + '&' + str(expiry_time) server_config = request_handler.application.server_config - request_handler.set_secure_cookie( - self.COOKIE_KEY, new_token, expires_days=self.EXPIRES_DAYS, secure=server_config.cookie_secure, httponly=server_config.cookie_httponly) + request_handler.set_secure_cookie(self.COOKIE_KEY, new_token, expires_days=self.EXPIRES_DAYS, secure=server_config.cookie_secure, httponly=server_config.cookie_httponly) def _can_write(self, request_handler): return can_write_secure_cookie(request_handler)