Cookie “HTTPOnly” and “secure” attribute vulnerability

Hello,

When I scan my Frontend Page with “Qualys API SCAN” software that is intended to find vulnerabilities, it lands on AUTH0 page and it finds 2 problems with the cookies:

Session Cookie (Authentication Related) Does Not Contain The “HTTPOnly” Attribute
Cookie Does Not Contain The “HTTPOnly” Attribute”

Two cookie starting with:
1- co%2Fverifier%2Fhttps%253A%252F%252F…
2- com.auth0.auth.https%3A%2F%2F…

Can you provide more insight related to this problem, I believe this is exactly the same problem on this link Cookie "HTTPOnly" and "secure" attribute vulnerability - #4

Thanks

Hi there @coskucinkilic welcome to the community!

I believe this is just do to the fact that some cookies can’t be set to HTTPOnly because they are required for our frontend SDKs to function properly - That is, if these particular cookies were HTTPOnly, they would be inaccessible by JavaScript and thus inaccessible by the SDKs.

Hope this helps!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.