Security Scan Issue: Cookie does not have HTTPOnly attribute.
As part of a standard security scan with in out organization we found following vulnarability issues in the scan.
- Cookie does not have secure attribute.
- Cookie does not have HTTPOnly attribute.
For the first issue regarding Cookie does not have secure attribute we modified the prConfig.xml and add the below line <env value="true" name="HTTP/SetSecureCookie"/>, and it fixed the issue. But this setting had some issues with the PRBasic authentication so we did this change only in PROD environment as only SSO is used over there.
Now what can we do to fix the second issue about HTTPonly attribute, is it something that we need to set in prConfig, and what are the side effects of that if any (as in case of Secure attribute for PRBasic).
**Moderation Team has archived post**
This post has been archived for educational purposes. Contents and links will no longer be updated. If you have the same/similar question, please write a new post.
Keep up to date on this post and subscribe to comments
- To set the HTTPOnly and Secure attributes to "true" on the IAC-NonGateway cookie
- Setting cookies http-only and secure
- During security scans, our software is able to interject cookies as the login user in an attempt to perform CSRF [Pega 7.2.1]
- Security scan reporting library jquery version 1.8.3 has known security issues
- Security issues after Pen test- SSL Cookie without security flag set