There is a TLS cookie (OVJSESSIONID) associated with the URL https://<openvidu_server>/openvidu. But this cookie does not have the secure flag set which leaves this cookie vulnerable to the attackers. So is there any specific reasons for the secure flag not being set for the cookie ?
Openvidu v2.32.1
In official deployments, OpenVidu is served over HTTPS, have you tested this in a production environment? Cookie transmission is protected by the encrypted HTTPS connection, so as long as your server itself isn’t compromised, any traffic passing over the public internet is secured via Nginx’s HTTPS layer. A local network attacker would need direct access to the server to intercept anything.
In production deployments you can’t access OpenVidu via HTTP, only via HTTPS.
Hi @cruizba .. Thanks for your reply.
However, the Secure flag is a browser-level enforcement and is independent of server-side HTTPS configuration. Without the Secure flag explicitly set on the cookie, the browser can still transmit the cookie over HTTP if any unencrypted request is made (e.g., SSL stripping, mixed content, or misconfiguration). Burp Suite has confirmed this as a valid finding. Industry best practices (OWASP) require the Secure flag to be set explicitly on all sensitive cookies regardless of server-side HTTPS enforcement.