Missing 'HttpOnly' Cookie Attribute (HTTP) about website HOT 8 CLOSED

I'm going to go ahead and close this off as I feel the goal here is to dismiss a warning in an automated scanner, rather to consider the context, risk and actual security implications.

If you believe there is an actual risk I'm happy to hear feedback/input but I'd need that explained with context, which in this case is for an XSRF token where we send XSRF tokens in HTML responses anyway.

from website.

Perfect ! That's easier I'll ask all vulnerability scanner to make an exception 🥇
Not only vulnerability scanner reports this issue, also OWAS ZAP, but they must be wrong of course.
ZAP Scanning Report.pdf

from website.

@ducarrozb Please confirm exactly what cookie you're referring to that you'd consider a security issue in this context.

from website.

@ssddanbrown

from website.

@ducarrozb thanks for providing the detail.

I don't really see making the XSRF token HttpOnly adding any reasonable security benefit here since, following the scenario in the "Vulnerability Insight" section, the XSRF token could just be read from the DOM anyway.
While the XSRF token is session based, it is not the user session itself.

If you do forsee some security risk here feel free to explain it within the context of this application and specific use of cookie to help me understand any actual risk/concerns.

from website.

Hmm, not sure if hackers see that the same way than you:

• https://www.perplexity.ai/search/Apache-fix-Missing-7eI5FlMzT1m14oaeI30Iqg#0
• https://www.rfc-editor.org/rfc/rfc6265#section-5.2.6
• https://owasp.org/www-community/HttpOnly
• https://wiki.owasp.org/index.php/Testing_for_Session_Management_Schema_(OTG-SESS-001)

As you can see in the report the cookie could lead to session hijacking attacks.
As told above, I tried to insert

<IfModule mod_headers.c>
    Header always edit Set-Cookie (.*) "$1; HttpOnly."
</IfModule>

in different files, but the problem persists. I wonder just in which file I have to add these lines, since this would be the solution of the problem

from website.

@ducarrozb None of those links indicate why the lack of HttpOnly for a XSRF token (which is already in the HTML) cookie would be an issue. I understand how HttpOnly can help security and where it's useful (like for sessions where it's already used) but otherwise I'm not sure why we need to make this change for the XSRF token outside of not throwing an alter in the specific automated scanner you use.

from website.

Hi,

I have the same problem here. When scaning for vulnerabilities the bookstack website comes up with "Set the 'HttpOnly' cookie attribute for any session cookie".
In the Apache config we set the VIrtualHost to force these secure cookies:

<VirtualHost bookstack.mydomain.tld:443>
    Header always edit Set-Cookie ^(.*)$ "$1;HttpOnly;Secure"
    ...
</VirtualHost>

Apache us up to date, the module mod_headers.so is loaded.

What can we do ?

Many thanks

from website.