In this article:
Severity: Low (in Scoring 2.0)
High (in Scoring 3.0)
Factor: Application security
Why this matters
From OWASP: "The secure attribute is an option that can be set by the application server when sending a new session cookie to the user within an HTTP Response. The purpose of the secure attribute is to prevent session cookies from being observed by unauthorized parties due to the transmission of the cookie in clear text. To accomplish this goal, browsers which support the secure attribute will only send session cookies with the secure attribute when the request is going to an HTTPS page. Said in another way, the browser will not send a session cookie with the secure attribute set over an unencrypted HTTP request. By setting the secure attribute, the browser will prevent the transmission of a cookie over an unencrypted channel."
How you can discover this
You can determine whether or not a session cookie is missing the secure flag by checking the domain against https://securityheaders.com. Alternatively, you can validate with the Google Chrome developer tools when examining the HTTP Response header Set-Cookie.
Set-Cookie: <name>=<value>[; <Max-Age>=<age>]
`[; expires=<date>][; domain=<domain_name>]
[; path=<some_path>][; secure][; HttpOnly]
How you can remediate this
Change the default setting from FALSE to TRUE to ensure cookies are sent only through HTTPS. Set the secure flag on the cookie to prevent it from being observed by malicious actors. Implement the secure flag when using the Set-Cookie parameter during authenticated sessions.
Example:
\tString sessionid = request.getSession().getId();\tresponse.setHeader(\"SET-COOKIE\", \"JSESSIONID=\" + sessionid + \"; secure\");
For for more details, see the guidance provided by Open Web Application Security Project (OWASP).
How you can resolve it in SecurityScorecard
When submitting a Resolution request, ensure you include supporting evidence where necessary. This will greatly assist us in ensuring your issue is resolved in a timely manner. See the following options for resolving [Issue-type-name] findings:
I have fixed this
HTTPS Secure flag has been configured.
I have a compensating control
Compensating controls are not accepted for this issue type.
This is not my IP or domain
The IP does not belong to my company, and the DNS entry has been corrected on the IP.
I cannot reproduce this issue and I think it is incorrect
- The session cookie mentioned could not be found.
- There is a Secure cookie flag in place, so this finding is not valid.