Secure Cookie on Insecure Channel Findings are scanned as part of the Sensitive Data Exposure Security Tests used to evaluate the Web Application Security Risk Vector.
The Secure flag instructs the browser to never pass a cookie over an insecure (e.g. non-HTTPS) channel; however, occasionally some websites set these cookies over insecure channels, defeating the purpose of the Secure flag. Some modern browsers will even ignore secure cookies set over an insecure medium.
Need to fix?
- Ensure the site is accessible through a secure connection.
- If that is not possible, ensure the application does not depend on cookies with the “secure” flag set.
Does this impact my WAS Risk Vector Grade? Yes.
Possible Grades:
- Neutral: Secure cookie set on insecure channel findings are informational only
- Weight = Not applicable
What will I see in the Portal?
Issue: Secure Cookie on insecure channel.
Details: A cookie with a "secure" attribute is set from a non-HTTPS endpoint.
Feedback
0 comments
Please sign in to leave a comment.