Hello Akeeba,
Our client did a pentest on the website and there was one medium warning. Is this something we can set in .htaccess from Admin Tools?
Medium warning> Insecure cookie setting: missing Secure flag
Cookie name:
9013e9e1db4d18b884ca37383d7df276
Set-Cookie:
9013e9e1db4d18b884ca37383d7df276=1vp85c0q2t2r8g0t0g857c0n
mt; path=/; HttpOnly
Risk description:
Since the Secure flag is not set on the cookie, the browser will send it over an unencrypted channel (plain HTTP) if such a request is
made. Thus, the risk exists that an attacker will intercept the clear-text communication between the browser and the server and he will
steal the cookie of the user. If this is a session cookie, the attacker could gain unauthorized access to the victim's web session.
Recommendation:
Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel.
Ensure that the secure flag is set for cookies containing such sensitive information.
References:
https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/06-
Session_Management_Testing/02-Testing_for_Cookies_Attributes.html
Classification:
CWE : CWE-614
OWASP Top 10 - 2013 : A5 - Security Misconfiguration
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
