We plan to publish a comprehensive guideline doc on how to create secure Web applications.
Native support such as XSRF, XSS prevention may also be added to the gRPC-Web protocol.
Could you please add more details about security and how to properly use metadata for authentication via grpc-web and also cover XSRF / XSS and etc
Also I have question, grpc-web support cookies? I want to set httponly secure cookie (not accessible from javascript) from server to client and want to get all requests from client to server with that cookie
This is vitally important as for Enterprise companies to approve the technology, they need proof of security and confirmation from their departments, which will search for confirmation that this is indeed secure. If this information is not easily available for them, the adoption will be slowed down.
If someone find this issue, its possible to use cookies via passing option withCredentials: true when creating service client.
@pumano is there any chance you can expand on that? Am I understanding correctly that you were able to set a httpOnly secure cookie via a webserver and then by using the withCredentials: true option that grpc-web would include that cookie as a part of all outgoing requests?
@stanley-cheung @fengli79 @vnorigoog @wenbozhu I'm really sorry to ping you but there have been hints at a lot of documentation coming in the future about how to build secure grpc-web services and I wanted to check if you had any updates that you could possibly share on that? Additionally, is this something that you might be able to provide some basic hints about in the meantime? The lack of guidance around this is really frustrating and even broad outlines feel like they would be more helpful than what we have at the moment.
@mhoad
Sorry that we haven't been making much progress on this, with a very small team working on both opensource and google-internal features.
What I believe will benefit developers is for gRPC-Web to provide a guideline on how to integrate with Auth (inc. cookie auth and related security guidelines such as encoding format), XSS/XSRF prevention, CORS policies, CSP and other standard Web security policies.
We will start to publish some docs in Q4 at least on CORS, XSS/XSRF. Thanks for your feedback.
@Jennnnny
@mhoad currently im not use grpc-web but, looks like it's possible what I mean but with problems: https://stackoverflow.com/questions/54883895/securely-exposing-a-grpc-service-with-authentication-using-grpc-web#comment98774393_54883895
I don't test it, you can try it. But if grpc-web team provide some official documentation it will be better.
response set-cookie support in envoy.
https://github.com/envoyproxy/envoy/issues/2250
so next step is figuring out how to set the metadata on upstream. i.e grpc server
Most helpful comment
This is vitally important as for Enterprise companies to approve the technology, they need proof of security and confirmation from their departments, which will search for confirmation that this is indeed secure. If this information is not easily available for them, the adoption will be slowed down.