caddy-security icon indicating copy to clipboard operation
caddy-security copied to clipboard

Published 20 hours ago verified publisher icon greenpau

feature: Config option to rename the AUTHP_SESSION_ID cookie/session id

Open iamjrock opened this issue 2 years ago • 1 comments

A clear and concise description of what you want the system to do.

caddy-security currently names it's session id and cookie as "AUTHP_SESSION_ID". This lets hackers know that we are using caddy and that we are using caddy-security.

This in turn increases the attack surface should there be any exploits found for caddy or caddy-security.

It would be great if caddy-security admins could rename the session id & cookie to a custom name.

What are the Caddyfile directives that need to be added.

Add Caddyfile directive:

{
  security {
    session_name MY_SESSION_ID_NAME
  }
}

EDIT: I just realised that other cookies may also be created. Eg. AUTHP_REDIRECT_URL. So it would be great if we could rename all of those too.

iamjrock avatar Aug 20 '22 15:08 iamjrock

@iamjrock , good point! 👍 This is a feature request.

greenpau avatar Aug 20 '22 15:08 greenpau