The following cookie was found to have the "httponly" flag disabled.
Setting the "HTTPOnly" flag on a cookie prevents attacks such as cross-site scripting (XSS), because the cookie cannot be accessed via the client side (e.g., cannot be accessed using a snippet of JavaScript code). If an attacker can access via the cookie on the client side, malicious code may be written to collect that cookie and any session/authentication information.
Recommendation
It is recommended to enable the httponly flag to prevent access via a
client-side script.
Summary
The following cookie was found to have the "httponly" flag disabled. Setting the "HTTPOnly" flag on a cookie prevents attacks such as cross-site scripting (XSS), because the cookie cannot be accessed via the client side (e.g., cannot be accessed using a snippet of JavaScript code). If an attacker can access via the cookie on the client side, malicious code may be written to collect that cookie and any session/authentication information.
Recommendation
It is recommended to enable the httponly flag to prevent access via a client-side script.
More information can be found on this vulnerability at https://www.owasp.org/index.php/HttpOnly#Mitigating_the_Most_Common_XSS_attack_using_HttpOnly
There are multiple ways to enable this flag, one of which is to set it within the response header:
Set-Cookie:=[; =]q
[; expires=][; domain=]
[; path=][; secure][; HttpOnly]
The context table below provides the source and the type of cookie which was found to be vulnerable.
Risk and Regulatory Information
Severity: medium CVSS: 5.3
Application
See more detail in the NowSecure Report