* feat(security): set SameSite=strict on session cookie
Use SameSite=Strict as a hardening measure against cross-origin attacks.
While browsers have been moving to default to SameSite=Lax, explicitly
setting SameSite ensures that all browsers enforce it consistently.
While 'lax' is a reasonable hardening choice, the cookie is only
required for requests to '/api/...' and we don't expect 3rd party links
into '/api/...', so this stricter setting should be safe in terms of
usability. Furthermore, while our GET APIs are not state-changing, using
'strict' future-proofs us in case we add a state-changing GET API ('lax'
allows cross-origin 'GET' requests for increased usability for read-only
requests).
Also add a comment to SetCORS() lack of Access-Control-Allow-Credentials
as a reminder that its omission is intentional for defense in depth on
when to attach the cookie to a request.
* chore: mention that Lax sends the cookie with other safe HTTP methods
* feat: record telemetry data only on successful response codes
* feat: re-write request path in file handler
* fix: use a slug for the replacement path
* chore: update CHANGELOG
* fix: report for 5XX also
* fix: address review comments
This was added so that we can distinguish between 4XX and 401 class
errors. It should have a minimal impact in overall cardinality.
Co-authored-by: Greg Linton <greg@influxdata.com>
Co-authored-by: Greg Linton <greg@influxdata.com>
Jamie Strandboge
Sam Arnold
William Baker
William Baker
Daniel Moran
Russ Savage
Michael Desa
Lyon Hill
Alirie Gray
Pavel Zavora
Jonathan A. Sternberg
Jakub Bednář
David McKay
Johnny Steenbergen