Proper Set-Cookie Implementation – Bitsight Knowledge Base

This documentation pertains to the Web Application Headers (WAH) risk vector, which was replaced with Web Application Security (WAS) in the RAU25 and will be deprecated. WAH is now a non-graded risk vector and is assigned with an N/A grade.

Set-Cookie provides information for setting cookies. The Set-Cookie header is defined in RFC-6265.

Cookies that do not contain sensitive information and are outside the control of the website owner are ignored. For more information, check the Cookie Assessment Exclusion.

Optional for: HTTPS and HTTP

Configuration

For HTTPS connections (if present) to be graded GOOD, Set-Cookie should be secure.
For HTTP connections:
- No headers are graded unless Set-Cookie is defined and the finding grade defaults to NEUTRAL.
- The secure directive is not required when Set-Cookie is present.
The HttpOnly and Secure attributes for secure cookies are not evaluated since they are not user-configurable and do not contain sensitive information. These are treated as prefixes.
Cookies that begin with the same name (e.g., AWSALB ➔ AWSALBCORS) are ignored.

See how Web Application Headers is assessed and see finding messages if Set-Cookie is not properly implemented.

December 9, 2025: WAH was replaced by WAS.
December 5, 2024: Separated cookie allowlist.
September 11, 2023: Separated finding messages.
August 22, 2023: No Set-Cookie found message deprecation.

Configuration

Related articles