Cookie “HTTPOnly” and “secure” attribute vulnerability

coskucinkilic · June 13, 2022, 12:47pm

Hello,

When I scan my Frontend Page with “Qualys API SCAN” software that is intended to find vulnerabilities, it lands on AUTH0 page and it finds 2 problems with the cookies:

Session Cookie (Authentication Related) Does Not Contain The “HTTPOnly” Attribute
Cookie Does Not Contain The “HTTPOnly” Attribute”

Two cookie starting with:
1- co%2Fverifier%2Fhttps%253A%252F%252F…
2- com.auth0.auth.https%3A%2F%2F…

Can you provide more insight related to this problem, I believe this is exactly the same problem on this link Cookie "HTTPOnly" and "secure" attribute vulnerability - #4

Thanks

ty.frith · June 14, 2022, 12:18am

Hi there @coskucinkilic welcome to the community!

I believe this is just do to the fact that some cookies can’t be set to HTTPOnly because they are required for our frontend SDKs to function properly - That is, if these particular cookies were HTTPOnly, they would be inaccessible by JavaScript and thus inaccessible by the SDKs.

Hope this helps!

Topic		Replies	Views
Cookie "HTTPOnly" and "secure" attribute vulnerability Get Help auth0 , api , login , vulnerability	2	3395	April 8, 2022
Cookies Not Marked as Secure and Cookies Not Marked as HttpOnly Get Help security-question-concern , security-compliance	5	2372	March 26, 2025
Request to use HttpOnly Cookies for Auth0 Authentication Get Help classic-universal-login-experience , login-experience	3	3619	February 15, 2023
Security scan warning: com.auth0.state cookie not Secure — expected behavior? Get Help security-question-concern , security-compliance	2	99	August 25, 2025
Auth0 Cookies to be secure in response Get Help auth0 , cookie , samesite-cookies	0	1740	September 27, 2022

Cookie “HTTPOnly” and “secure” attribute vulnerability

Related topics