When I do a Security Scan of my site hosted on Azure using <a class="postlink" href="https://asafaweb.com">https://asafaweb.com</a> I get two warnings:
1. HTTP only cookies: Warning It looks like a cookie is being set without the "HttpOnly" flag being set (name : value):
Abp.Localization.CultureName : en
Unless the cookie legitimately needs to be read by JavaScript on the client, the "HttpOnly" flag should always be set to ensure it cannot be read by the client and used in an XSS attack.
Question: Is this cookie only being read by Javascript on the client? If not, how can it be changed to be HTTPS cookie?
2. Secure cookies: Warning It looks like 3 cookies are being served over HTTPS without the "secure" flag being set (name : value):
Abp.Localization.CultureName : en ASP.NET_SessionId : 0q ARRAffinity : 8*******************************f
Unless the cookie needs to be sent over an insecure connection, the "secure" flag should always be set to ensure it can only be sent with an HTTPS request.
Appreciate any guidance in securing the cookies.
2 Answer(s)
-
0
Pretty sure the Localization cookie is how the front end knows what language to localize in javascript.
-
0
