⇤ Web Application Header Assessment
Optional for HTTPS and HTTP
Set-Cookie
provides information for setting cookies. The Set-Cookie
header is defined in RFC-6265.
- For HTTPS connections (if present) to be graded GOOD,
Set-Cookie
should besecure
. - For HTTP connections:
- No headers are graded unless Set-Cookie is defined and the finding grade will default to NEUTRAL.
- The
secure
directive is not required whenSet-Cookie
is present.
- The
HttpOnly
andSecure
attributes for secure cookies are not evaluated since they are not user-configurable and do not contain sensitive information. These are treated as prefixes. - Cookies that begin with the same name (e.g., AWSALB ➔ AWSALBCORS) are ignored.
Cookies that do not contain sensitive information and are outside the control of the website owner are ignored. For more information, check the Cookie Assessment Exclusion.
See finding messages if Set-Cookie
is not properly implemented.
- December 5, 2024: Separated cookie allowlist.
- September 11, 2023: Separated finding messages.
-
August 22, 2023:
No Set-Cookie found
message deprecation.
Feedback
0 comments
Please sign in to leave a comment.