⇤ Web Application Header Assessment
Optional for HTTPS and HTTP
Set-Cookie
provides information for setting cookies. The Set-Cookie
header is defined in RFC-6265.
- For HTTPS connections (if present) to be graded GOOD,
Set-Cookie
should besecure
. - For HTTP connections:
- No headers are graded unless Set-Cookie is defined and the finding grade will default to NEUTRAL.
- The
secure
directive is not required whenSet-Cookie
is present.
The HttpOnly
and Secure
attributes for the following cookies are not evaluated since they are not user-configurable and do not contain sensitive information:
- AWS ELB
- AWS ALB
- Cloudflare __cfuid
- AppDynamics ADRUM
- Azure App Service ARRAffinity
These are treated as prefixes. Other cookies that begin with the same name (e.g. AWSALB -> AWSALBCORS) will also be ignored.
See finding messages if Set-Cookie
is not properly implemented.
- September 11, 2023: Separated finding messages.
- August 22, 2023:
No Set-Cookie found
message deprecation. - February 8, 2023: AWS ALB, Azure App Service ARRAffinity.
Feedback
0 comments
Please sign in to leave a comment.