Skip to main content
Security Performance Management
Continuous Monitoring
Vendor Risk Management
Trust Management Hub
Cyber Insurance
National Cybersecurity

Proper Set-Cookie Implementation

Ingrid

⇤ Web Application Header Assessment

Optional for HTTPS and HTTP

Set-Cookie provides information for setting cookies. The Set-Cookie header is defined in RFC-6265.

  • For HTTPS connections (if present) to be graded GOOD, Set-Cookie should be secure.
  • For HTTP connections:
    • No headers are graded unless Set-Cookie is defined and the finding grade will default to NEUTRAL.
    • The secure directive is not required when Set-Cookie is present.
  • The HttpOnly and Secure attributes for secure cookies are not evaluated since they are not user-configurable and do not contain sensitive information. These are treated as prefixes.
  • Cookies that begin with the same name (e.g., AWSALB ➔ AWSALBCORS) are ignored.

Cookies that do not contain sensitive information and are outside the control of the website owner are ignored. For more information, check the Cookie Assessment Exclusion.

See finding messages if Set-Cookie is not properly implemented.

  • December 5, 2024: Separated cookie allowlist.
  • September 11, 2023: Separated finding messages.
  • August 22, 2023: No Set-Cookie found message deprecation.

Related articles

Feedback

0 comments

Please sign in to leave a comment.