Two security related questions

I got two security related questions from a security auditor.

#1 - X-Frame-Options header is not included in the HTTP response to protect against ‘ClickJacking’ attacks
#2 - A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.

Based on the shinyproxy documnent, I can address these two questions by including in application.yml the config specs like

secure-Cookies: true
frame-Options: sameorigin

Any one to confirm?

Thank you in advance.


This are almost the correct settings, you should use:

   secure-Cookies: true
   frameOptions: sameorigin

You should not use a - in the frameOptions setting (I’ll fix this in the docs).

You can confirm that these options are correctly applied by:

  1. open the developer tools of your browser (e.g. using F12)
  2. go to storage tab (in Firefox)
  3. check the cookies:


  1. as you can see both the secure and httponly flags are set
  2. to check the header, go to the network tab and reload the page
  3. look at the top-most request:


Thank you tdekoninck,

one more question about samesite attribute for cookie.
if I want to set samesite attribute for cookie to ‘lax’ or ‘strict’, should I change like beow?

  same-site-cookie: lax


  same-site-cookie: strict

I can’t find documentation on available values other than none option.

  same-site-cookie: none

Thank you!


You should be able to pass Strict , Lax and None as values to that setting. However, please note that this setting does not apply to the session cookie set by ShinyProxy. (so only cookies created e.g. for SAML). We could easily introduce another option to set the same-site policy of the session cookie if needed.