Secure the Connections to Your Hub Server
warning
Cross-site CookiesAn external Hub installation uses cross-site cookies to maintain and support authentication sessions in connected services. To safeguard sites against Cross-Site Request Forgery (CSRF) attacks, leading web browsers only allow cross-site cookies that are accessed over HTTPS connections.
In web browsers that enforce the new security standards, Hub is unable to exchange authentication tokens with a connected service. This means that users are constantly logged out of connected services whenever their session cookies expire. Requests to extend the current session with refresh tokens are also blocked.
For security reasons, we have always advised against running Hub using plain HTTP. Following the latest initiatives to improve privacy and security across the web, you are effectively required to secure all traffic to your external Hub installation over TLS.
Thanks for your feedback!