Skip to main content

Web Application Headers Risk Vector


1 comment

  • Permanently deleted user

    Bitsight is flagging the "__cfduid" cookie set by Cloudflare as problematic because it does not contain the secure attribute. This is not something that Cloudflare clients can configure and Cloudflare has no plans to enabled the secure flag, nor does it make sense to enable the flag. From Cloudflare:

    The __cfduid cookie is used to override any security restrictions based on the IP address the visitor is coming from. For example, if the visitor is in a coffee shop where there are a bunch of infected machines, but the visitor’s machine is known trusted, then the cookie can override the security setting. It does not correspond to any userid in the web application, nor does the cookie store any personally identifiable information. 

    Note: This cookie is strictly necessary for site security operations and can’t be turned off.

    Does Bitsight have any plans to work with organizations who are using Cloudflare? It seems regressive to penalize an organization's score for using a service like Cloudflare.


Please sign in to leave a comment.