Cookie "HTTPOnly" and "secure" attribute vulnerability

andreinechifor83 · February 8, 2022, 9:43am

Hello,

When I scan my Frontend Page with “Qualys API SCAN” software that is intended to find vulnerabilities, it lands on AUTH0 authentification page. And it finds 2 problems with the cookies:
Cookie Does Not Contain The “secure” Attribute
Cookie Does Not Contain The “HTTPOnly” Attribute”

Example of such a cookie: com.auth0.auth.ugKuorXXXXX…

Is this normal or it is a security problem for the cookies don’t have those attributes?

Thank you!

dan.woda · February 22, 2022, 11:24pm

Hi @andreinechifor83,

Welcome to the Auth0 Community!

Not all cookies will be marked HTTPOnly and secure.

Can you tell me the name of the cookie you are referring to?

Topic		Replies	Views
Cookie “HTTPOnly” and “secure” attribute vulnerability Help auth0 , api , login , vulnerability	2	3609	June 29, 2022
Cookies Not Marked as Secure and Cookies Not Marked as HttpOnly Help security-question-concern , security-compliance	1	1728	August 28, 2024
Request to use HttpOnly Cookies for Auth0 Authentication Help classic-universal-login-experience , login-experience	3	2726	February 15, 2023
Auth0 Cookies to be secure in response Help auth0 , cookie , samesite-cookies	0	1696	September 27, 2022
Auth0.is.authenticated cookie - _legacy_auth0.is.authenticated cookie Knowledge Articles cookies	1	2194	May 31, 2023

Cookie "HTTPOnly" and "secure" attribute vulnerability

Related Topics