Our GCP Load Balancer is set up to route to our back-end service using cookie session affinity. It´s working ok, but the secure flag is not set. We have tried to specify it according RFC 7230:
Set-Cookie: Secure
Theorically the header can be configured on backend-service custom request header. The backend-service description:
gcloud beta compute backend-services describe my-backend-service --global
customRequestHeaders:
- 'Set-Cookie: Secure'
description: ''
enableCDN: false
fingerprint: XXXXXX-XX
healthChecks:
- https://www.googleapis.com/compute/beta/projects/my-project/global/healthChecks/my-check
id: 'XXXXXXXXXXXXXXX'
kind: compute#backendService
loadBalancingScheme: EXTERNAL
name: my-backend-service
port: 80
portName: http
protocol: HTTP
selfLink: https://www.googleapis.com/compute/beta/projects/my-project/global/backendServices/my-backend-service
sessionAffinity: GENERATED_COOKIE
timeoutSec: 300
However the GLCB cookie still not showing the secure flag.
What are we doing wrong?
Thanks in advance.
Make sure that the value passed into UriCookieConfig was HTTP and not https. Switching to https changed the set-cookie to be secure and might fix your issue.
When setting a cookie, the cookie is not set with a secure attribute but NOT because it is set via HTTP (though not ideal too). A secure flag in a set-cookie header instructs the client only sent the cookie back via a secure channel (e.g. https). It redirects to https when the request isn't secure:
See the following document for more details on setting the secure Flag:
https://owasp.org/www-community/controls/SecureCookieAttribute https://cloud.google.com/docs/security/encryption-in-transit