[5.1.0] Security flags at the cookies are missing.

obiba / mica2

Mica is a web portal for epidemiological study consortia.

http://www.obiba.org/pages/products/mica/

GNU General Public License v3.0

10 stars 15 forks source link

[5.1.0] Security flags at the cookies are missing. #4395

Closed tuxmaster5000 closed 1 year ago

tuxmaster5000 commented 1 year ago

Our security scanner has detected, that the secure and HttpOnly flag is missing at the _uid cookie. Can you fix it?

Sample: nmap -p 443 --script http-cookie-flags --script http-headers ... | Set-Cookie: _uid=307343fb-efd1-42ba-87c0-dfee9d8e1652 ...

Thanks

ymarcon commented 1 year ago

See Reverse proxy recommended settings (headers section).

ymarcon commented 1 year ago

That is true that the HttpOnly flag should be enforced for this cookie. In the meantime you should use the workaround above (which does a bit more than setting HttpOnly flag, then it is still the recommended approach).