Cookies set over a secure channel should contain the secure flag to ensure that the transmission of those cookies never occurs outside of that channel. However, some appliances used by web applications (such as load balancers) don’t support setting sticky session cookies with a secure flag. These cookies do not contain sensitive information and are outside the control of the website owner. To address these cases, we established the following:
- A process to dynamically detect non-sensitive cookies based on their characteristics, such as length and max-age.
- An allowlist of known non-sensitive cookies, i.e., cookies that will not be subject to sensitive cookies assessments:
- AppDynamics ADRUM
- AWS ALB
- AWS ELB
- Azure App Service ARRAffinity
- Citrix
citrix_ns_id_
- Cloudflare
__cfuid
Related Risk Vectors
- January 15, 2025: Clarification on the cookie's attribute (non-sensitive, not secure).
- December 5, 2024: Published.
Feedback
0 comments
Please sign in to leave a comment.