shishantbiswas/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2026-06-02 20:48:20 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore: optionally prefix authentication related cookies (#22148)

Browse Source 
When the deployment option is enabled auth cookies are prefixed with
`__HOST-`
([info](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie)).

This is all done in a middleware that intercepts all requests and strips
the prefix on incoming request cookies.
This commit is contained in:
Steven Masley
2026-02-20 09:01:00 -06:00
committed by GitHub
parent 1069ce6e19
commit e5f64eb21d
15 changed files with 357 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/reference/api/general.md
Generated
+1
View File
@@ -314,6 +314,7 @@ curl -X GET http://coder-server:8080/api/v2/deployment/config \
"hide_ai_tasks": true,
"http_address": "string",
"http_cookies": {
"host_prefix": true,
"same_site": "string",
"secure_auth_cookie": true
},
docs/reference/api/schemas.md
Generated
+4
View File
@@ -2815,6 +2815,7 @@ CreateWorkspaceRequest provides options for creating a new workspace. Only one o
"hide_ai_tasks": true,
"http_address": "string",
"http_cookies": {
"host_prefix": true,
"same_site": "string",
"secure_auth_cookie": true
},
@@ -3369,6 +3370,7 @@ CreateWorkspaceRequest provides options for creating a new workspace. Only one o
"hide_ai_tasks": true,
"http_address": "string",
"http_cookies": {
"host_prefix": true,
"same_site": "string",
"secure_auth_cookie": true
},
@@ -4488,6 +4490,7 @@ Only certain features set these fields: - FeatureManagedAgentLimit|
```json
{
"host_prefix": true,
"same_site": "string",
"secure_auth_cookie": true
}
@@ -4497,6 +4500,7 @@ Only certain features set these fields: - FeatureManagedAgentLimit|
| Name | Type | Required | Restrictions | Description |
|----------------------|---------|----------|--------------|-------------|
| `host_prefix` | boolean | false | | |
| `same_site` | string | false | | |
| `secure_auth_cookie` | boolean | false | | |
docs/reference/cli/server.md
Generated
+11
View File
@@ -1058,6 +1058,17 @@ Controls if the 'Secure' property is set on browser session cookies.
Controls the 'SameSite' property is set on browser session cookies.
### --host-prefix-cookie
| | |
|-------------|------------------------------------------|
| Type | <code>bool</code> |
| Environment | <code>$CODER_HOST_PREFIX_COOKIE</code> |
| YAML | <code>networking.hostPrefixCookie</code> |
| Default | <code>false</code> |
Recommended to be enabled. Enables `__Host-` prefix for cookies to guarantee they are only set by the right domain.
### --terms-of-service-url
| | |