Cookie without HttpOnly flag set
/
Issue detail:
The following cookie was issued by the application and does not have the HttpOnly flag set:
_csrf_token
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Issue background:
If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure makes certain client-side attacks, such as cross-site scripting, slightly harder to exploit by preventing them from trivially capturing the cookie's value via an injected script.
Issue remediation:
There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.
You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.
Summary:
Cookie without HttpOnly flag set / Issue detail: The following cookie was issued by the application and does not have the HttpOnly flag set: _csrf_token The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function. Issue background: If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure makes certain client-side attacks, such as cross-site scripting, slightly harder to exploit by preventing them from trivially capturing the cookie's value via an injected script.
Issue remediation: There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.
You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.
References Web Security Academy: Exploiting XSS vulnerabilities HttpOnly effectiveness Vulnerability classifications CWE-16: Configuration CAPEC-31: Accessing/Intercepting/Modifying HTTP Cookies
How to resolve this?