Cookie Assessment Exclusion Ingrid Cookies set over a secure channel should contain the secure flag to ensure that the transmission of those cookies never occurs outside of that channel. However, some appliances used by web applications (such as load balancers) don’t support setting sticky session cookies with a secure flag. These cookies do not contain sensitive information and are outside the control of the website owner. To address these cases, we established the following: A process to dynamically detect non-sensitive cookies based on their characteristics, such as length and max-age. An allowlist of known non-sensitive cookies, i.e., cookies that will not be subject to sensitive cookies assessments: AppDynamics ADRUM AWS ALB AWS ELB Azure App Service ARRAffinity Citrix citrix_ns_id_ Cloudflare __cfuid Related Risk Vectors Web Application Headers Web Application Security January 15, 2025: Clarification on the cookie's attribute (non-sensitive, not secure). December 5, 2024: Published. Related articles Web Application Security Assessment: Sensitive Data Exposure What is a Finding Lifetime? TLS/SSL Finding Remediation & Remediation Verification Scheduling a Risk Remediation Plan Certificate Authorities Feedback 0 comments Please sign in to leave a comment.