In this article:
Severity: Low (in Scoring 2.0)
High (in Scoring 3.0)
Factor: Application security
Why this matters
How you can discover this issue
You can determine whether or not a session cookie is missing the HttpOnly flag by checking the domain against https://securityheaders.com. Alternatively, you can validate with the Google Chrome developer tools when examining the HTTP Response header Set-Cookie.
Set-Cookie: <name>=<value>[; <Max-Age>=<age>] `[; expires=<date>][; domain=<domain_name>] [; path=<some_path>][; secure][; HttpOnly]
How you can remediate it
Set session cookies with the HttpOnly flag to ensure they can not be accessed by any other means. A cookie marked with HttpOnly will prevent any malicious injected script from being accessing it. For specific steps to remediate the response header, see the steps documented by Open Web Application Security Project (OWASP).
How can this issue be resolved?
When submitting a Resolution request, ensure you include supporting evidence where necessary. This will greatly assist us in ensuring your issue is resolved in a timely manner. See the following options for resolving [Issue-type-name] findings:
I have fixed this
HTTPS HttpOnly flag has been configured.
I have a compensating control
Compensating controls are not accepted for this issue type.
This is not my IP or domain
The IP does not belong to our company, and the DNS entry has been corrected on the IP.
I cannot reproduce this issue and I think it is incorrect
- The cookie mentioned could not be found.
- There is an HttpOnly cookie flag in place, so this finding is not valid