英文:
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
问题
I am setting some values in cookie through JS in my code. I am passing secure; while setting values to cookie. But still I am getting "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute" as vulnerability.
document.cookie=${name}=${val1};domain=${domainName};path=/;secure;;
英文:
I am setting some values in cookie through JS in my code. I am passing secure; while setting values to cookie. But still I am getting "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute" as vulnerability.
document.cookie=`${name}=${val1};domain=${domainName};path=/;secure;`;
答案1
得分: 3
看起来你在设置Cookie时设置了secure标志,这是确保Cookie仅通过HTTPS发送的正确方式。然而,漏洞扫描器可能仍将其标记为虚假阳性。
你可以尝试明确设置HttpOnly标志。它确保Cookie不能被客户端脚本访问。你可以像这样将其添加到Cookie中:
document.cookie=${name}=${val1};domain=${domainName};path=/;secure;HttpOnly;
英文:
Looks like you're setting the secure flag while setting the cookie, which is the correct way to make sure the cookie is only ever sent over HTTPS. However, it's possible that the vulnerability scanner is flagging it as a false positive anyways.
You could try explicitly setting the HttpOnly flag as well. It ensures that the cookie cannot be accessed by client-side scripts. You can add it to the cookie like this:
document.cookie=`${name}=${val1};domain=${domainName};path=/;secure;HttpOnly`;
答案2
得分: 0
确保您使用的漏洞检测工具已更新并准确?有可能该工具正在生成虚假阳性或因某种原因未正确检测您代码中的“secure”属性。
也许尝试使用不同的漏洞检测工具,尽管我不确定是否会有效。
我想评论此问题,但我没有足够的声誉来这样做。
英文:
Perhaps make sure that the vulnerability detection tool you're using is updated and accurate? It's possible that the tool is generating a false positive or not properly detecting the "secure" attribute in your code for some reason.
Maybe true using a different vulnerability detection tool, though I'm not sure whether that would work.
I'd comment this, but I don't have the reputation to do so.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论