Cookies Not Marked as Secure and Cookies Not Marked as HttpOnly

Following a Pen test on our application which is using the Auth0 SPA SDK (Angular), the following Cookies are flagging up as not being marked as secure and not being marked as HTTPOnly.

Appreciate that the latter is because the cookie needs to accessible in JS but just wanted to confirm this and that the same applies for the “Secure” setting ?

-The following cookies are not set with the HTTPOnly or secure attribute:

  • auth0.organization_hint
  • _legacy_auth0.organization_hint
  • auth0.is.authenticated
  • _legacy_auth0.is.authenticated

Basically I need to know if this is an issue that we can resolve or if its a risk we’ll need to sign off on due to the way our application uses Auth0.

Bumping this again as its appeared in another yearly security scan.

its specifically the “Secure” setting on the Auth0 cookies I am querying. I understand the reasoning for HTTPOnly and can justify that being risk accepted.