In this article:
Severity: High
Factor: Application security
Why this matters
The cookie session ID is not set with the HttpOnly flag. The missing flag could allow the session ID to be accessed by a client-side script such as Javascript. This exposes the cookies to potential theft through scripting attack vectors, such as XSS attacks.
How you can discover this issue
You can determine whether or not a session cookie is missing the HttpOnly flag by checking the domain against https://securityheaders.com. Alternatively, you can validate with the Google Chrome developer tools when examining the HTTP Response header Set-Cookie.
Set-Cookie: <name>=<value>[; <Max-Age>=<age>]
`[; expires=<date>][; domain=<domain_name>]
[; path=<some_path>][; secure][; HttpOnly]
How you can remediate it
Set session cookies with the HttpOnly flag to ensure they can not be accessed by any other means. A cookie marked with HttpOnly will prevent any malicious injected script from being accessing it. For specific steps to remediate the response header, see the steps documented by Open Web Application Security Project (OWASP).
How can this issue be resolved?
When submitting a Resolution request, ensure you include supporting evidence where necessary. This will greatly assist us in ensuring your issue is resolved in a timely manner. See the following options for resolving [Issue-type-name] findings:
I have fixed this
HTTPS HttpOnly flag has been configured.
I have a compensating control
The recommendations have been followed for a CSRF/XSRF token, such as:
https://portswigger.net/web-security/csrf/bypassing-token-validation
https://docs.djangoproject.com/en/2.0/ref/settings/#csrf-cookie-httponly
https://medium.com/@nurettinabaci/csrf-token-and-httponly-ff19fcc24862
This is not my IP or domain
The IP does not belong to our company, and the DNS entry has been corrected on the IP.
I cannot reproduce this issue and I think it is incorrect
- The cookie mentioned could not be found.
- There is an HttpOnly cookie flag in place, so this finding is not valid