| Excerpt | ||||
|---|---|---|---|---|
| ||||
The text below is a summary of the security audit performed by Néosoft. You can also download the full report. |
...
The cookies used by the main application do not have a configured "SameSite" security attribute.
The "SameSite" attribute helps mitigate the risks associated with Cross-Site Request Forgery (CSRF) attacks. In this case, the absence of this protection makes the application more vulnerable to potential CSRF attacks.
Likelihood : 1 (Low)
Potential impact : 1 (Low)
Note : This point cannot be corrected because the OAuth authentication (Keycloak) uses the cookie for authentication across all our websites (c.f. explaining explaination by the Keycloak team ). As this issue is associated with a very low criticality, it was decided to rate it as a false-positive.
...
For one application, the application's cookies, including session cookies, lack the SameSite security attribute, increasing the risk of Cross-Site Request Forgery (CSRF) attacks that could exploit unauthorized requests. But it was decided to rate it as false-positive (see paragraph above).
Positive aspects were also identified, such as the absence of injection possibilities like XSS or SQLi and the absence of reported file upload vulnerabilities. In addition, the service generally adheres to security best practices, including correct input validation, secure coding standards and regular updates.
...
| Expand | ||
|---|---|---|
| ||
SAS au capital de 832.000€ - 41-45 Bd Romain Rolland – 75014 PARIS Tél : +33 (0)1 41 10 41 60 - e-mail: mailto:contact.site@neo-soft.fr – http://www.neosoft.fr |
...