If you discover a security vulnerability in this plugin, please do not open a public GitHub issue.
Instead, please report it responsibly by emailing the maintainers directly or using GitHub's private vulnerability reporting.
- A description of the vulnerability
- Steps to reproduce the issue
- The potential impact
- Any suggested fixes (if you have them)
- We will acknowledge receipt within 48 hours
- We will provide an initial assessment within 1 week
- We will work with you to understand and resolve the issue before any public disclosure
Cookies are a fundamental part of web session management and carry inherent security risks. When using this plugin:
- Always set
httpOnly: true(the default) to prevent JavaScript access and reduce XSS cookie theft risk - Set
secure: truefor session cookies on HTTPS sites to prevent transmission over HTTP - Use the
SameSiteattribute at the container level to mitigate CSRF risks - Avoid storing sensitive data (session tokens, personal data) in cookie values without encryption
- The
grails.plugins.cookie.secure.defaultconfig option mirrorsrequest.secureby default — ensure your reverse proxy sets theX-Forwarded-Protoheader correctly
| Version | Grails | Supported |
|---|---|---|
| 3.x (latest) | Grails 7 | Yes |
| 2.x | Grails 3 | No |