A website of ours that utilises this plugin (v.1.6.1) has recently undergone a penetration test and one issue that was raised related to the fact that the cookie consent cookie this plugin creates does not set the 'Secure' attribute on the cookie.
Sidestepping the argument around whether or not this is a vulnerability, it seems like a simple enough change to make here:
lukas-jansen
commented
11 months ago
Hi,
A website of ours that utilises this plugin (
v.1.6.1) has recently undergone a penetration test and one issue that was raised related to the fact that the cookie consent cookie this plugin creates does not set the 'Secure' attribute on the cookie.Sidestepping the argument around whether or not this is a vulnerability, it seems like a simple enough change to make here:
https://github.com/elleracompany/craft-cookie-consent/blob/master/src/controllers/ConsentController.php#L47-L51
Related Yii2 docs for reference here:
https://www.yiiframework.com/doc/api/2.0/yii-web-cookie