* feat(security): set SameSite=strict on session cookie
Use SameSite=Strict as a hardening measure against cross-origin attacks.
While browsers have been moving to default to SameSite=Lax, explicitly
setting SameSite ensures that all browsers enforce it consistently.
While 'lax' is a reasonable hardening choice, the cookie is only
required for requests to '/api/...' and we don't expect 3rd party links
into '/api/...', so this stricter setting should be safe in terms of
usability. Furthermore, while our GET APIs are not state-changing, using
'strict' future-proofs us in case we add a state-changing GET API ('lax'
allows cross-origin 'GET' requests for increased usability for read-only
requests).
Also add a comment to SetCORS() lack of Access-Control-Allow-Credentials
as a reminder that its omission is intentional for defense in depth on
when to attach the cookie to a request.
* chore: mention that Lax sends the cookie with other safe HTTP methods
* feat: record telemetry data only on successful response codes
* feat: re-write request path in file handler
* fix: use a slug for the replacement path
* chore: update CHANGELOG
* fix: report for 5XX also
* fix: address review comments
This was added so that we can distinguish between 4XX and 401 class
errors. It should have a minimal impact in overall cardinality.
Co-authored-by: Greg Linton <greg@influxdata.com>
Co-authored-by: Greg Linton <greg@influxdata.com>
this ability exports all resources associated with a stack by the same
metadata.name fields as the original application had done it. This can
be used as a means to snapshot the current state of the stack. This can
be used for source control or other means.
closes: #18271
This commit checks http.Request.Context().Err() to see if the context
has been canceled before writing an error code. It uses the non-standard
Nginx 499 error code for client disconnection.
this fix is necessary to avoid the superflour write header error. When the
write fails, we log it, this shoudl never happen unless the connection gets
corrupted. In that case there is nothing for the server to do except log
Jamie Strandboge
Sam Arnold
William Baker
William Baker
Daniel Moran
Russ Savage
Stuart Carnie
Lyon Hill
Michael Desa
Johnny Steenbergen
Alirie Gray
Ben Johnson
George
Pavel Zavora
Jonathan A. Sternberg
Jakub Bednář
David McKay