diff options
-rw-r--r-- | changelogs/unreleased/sh-disable-sidekiq-session.yml | 5 | ||||
-rw-r--r-- | config/initializers/sidekiq.rb | 6 |
2 files changed, 11 insertions, 0 deletions
diff --git a/changelogs/unreleased/sh-disable-sidekiq-session.yml b/changelogs/unreleased/sh-disable-sidekiq-session.yml new file mode 100644 index 00000000000..d018bbed841 --- /dev/null +++ b/changelogs/unreleased/sh-disable-sidekiq-session.yml @@ -0,0 +1,5 @@ +--- +title: Disable the Sidekiq Admin Rack session +merge_request: 21441 +author: +type: security diff --git a/config/initializers/sidekiq.rb b/config/initializers/sidekiq.rb index 6f54bee4713..476eaabfed8 100644 --- a/config/initializers/sidekiq.rb +++ b/config/initializers/sidekiq.rb @@ -1,3 +1,9 @@ +require 'sidekiq/web' + +# Disable the Sidekiq Rack session since GitLab already has its own session store. +# CSRF protection still works (https://github.com/mperham/sidekiq/commit/315504e766c4fd88a29b7772169060afc4c40329). +Sidekiq::Web.set :sessions, false + # Custom Queues configuration queues_config_hash = Gitlab::Redis::Queues.params queues_config_hash[:namespace] = Gitlab::Redis::Queues::SIDEKIQ_NAMESPACE |