Page MenuHomePhabricator

Filter cookie headers for all API route requests
Closed, ResolvedPublic

Description

We want to enforce that cookies don't belong in APIs.

To do this, we'll prevent mounted APIs from sending cookies, and we'll fail to pass through any cookies that are sent.

This is done when:

  • Configure the API gateway routes to strip outgoing Set-Cookie headers
  • Configure the API gateway routes to strip incoming Cookie headers

Event Timeline

hnowlan claimed this task.Aug 14 2020, 10:02 AM
hnowlan triaged this task as Medium priority.

Change 620311 had a related patch set uploaded (by Hnowlan; owner: Hnowlan):
[operations/deployment-charts@master] api-gateway: strip cookie headers from requests and responses.

https://gerrit.wikimedia.org/r/620311

Change 620311 merged by jenkins-bot:
[operations/deployment-charts@master] api-gateway: strip cookie headers from requests and responses.

https://gerrit.wikimedia.org/r/620311

The gateway now filters all set-cookies in responses and all cookies from incoming requests. Varnish cookies remain, however.

hnowlan added a comment.EditedSep 3 2020, 12:58 PM

Cookies being set by the REST API

nosmo@ocasey ~ $ curl -v https://en.wikipedia.org/w/rest.php/v1/search/page?q=pizza -o /dev/null 2>&1 | grep -i cookie
< set-cookie: WMF-Last-Access=03-Sep-2020;Path=/;HttpOnly;secure;Expires=Mon, 05 Oct 2020 12:00:00 GMT
< set-cookie: WMF-Last-Access-Global=03-Sep-2020;Path=/;Domain=.wikipedia.org;HttpOnly;secure;Expires=Mon, 05 Oct 2020 12:00:00 GMT
< set-cookie: GeoIP=IE:L:Dublin:etc:v4; Path=/; secure; Domain=.wikipedia.org

Cookies not being set by the API gateway (with the exception of the Varnish cookie)

nosmo@ocasey ~ $ curl -v https://api.wikimedia.org/core/v1/wikipedia/en/search/page?q=pizza -o /dev/null 2>&1 | grep -i cookie
< set-cookie: WMF-Last-Access=03-Sep-2020;Path=/;HttpOnly;secure;Expires=Mon, 05 Oct 2020 12:00:00 GMT


Here cookies can be seen being set by the API portal

eprodromou closed this task as Resolved.Oct 5 2020, 4:56 PM
eprodromou moved this task from PM Sign-off to Done on the Platform Team Workboards (Green) board.