Forum Discussion

vvskaladhar_488's avatar
Icon for Nimbostratus rankNimbostratus
Jan 27, 2017

The cookie does not contain the "HTTPOnly" attribute.

Hi All, we got vulnerability as below in our vulnerability scan


Threat The cookie does not contain the "HTTPOnly" attribute.


Impact Cookies without the "HTTPOnly" attribute are permitted to be accessed via JavaScript. Cross-site scripting attacks can steal cookies which could lead to user impersonation or compromise of the application account.


Solution If the associated risk of a compromised account is high, apply the "HTTPOnly" attribute to cookies.


But We need both the HTTPOnly and Secure flags set on the cookies. can you please let me know if this can be achieved if i made the setting http only on the cookie ? or please suggest me if any thing else need to be taken care