- September 11, 2023: Separated finding messages.
- August 22, 2023:
No Set-Cookie foundmessage deprecation. - February 8, 2023: AWS ALB, Azure App Service ARRAffinity.
⇤ Web Application Header Assessment
Optional for HTTPS and HTTP
Set-Cookie provides information for setting cookies. The Set-Cookie header is defined in RFC-6265.
- For HTTPS connections (if present) to be graded GOOD,
Set-Cookieshould besecure. - For HTTP connections:
- No headers are graded unless Set-Cookie is defined and the finding grade will default to NEUTRAL.
- The
securedirective is not required whenSet-Cookieis present.
The HttpOnly and Secure attributes for the following cookies are not evaluated since they are not user-configurable and do not contain sensitive information:
- AWS ELB
- AWS ALB
- Cloudflare __cfuid
- AppDynamics ADRUM
- Azure App Service ARRAffinity
These are treated as prefixes. Other cookies that begin with the same name (e.g. AWSALB -> AWSALBCORS) will also be ignored.
See finding messages if Set-Cookie is not properly implemented.