hackclub/hack-as-a-service-v0

Subdomain cookie isolation

Closed this issue · 0 comments

anirudhb commented

Add *.haas.hackclub.com and *.hackclub.app to the public suffix list so that cookies are not shared between subdomains. This is an ⚠️EXTREME SECURITY RISK⚠️ to the security of HaaS' user's credentials as a token cookie can be easily stolen by a malicious subdomain currently.

Urgently consider getting this fixed.