CookieConsent not secure

Manfred von Runkel

• November 06, 2018 17:10

Hi Cookiebot Team,

Vulnerability Scan returned on website:

"Cookie Does Not Contain The "secure" Attribute"
"Cookie Does Not Contain The "HTTPOnly" Attribute"

After checking the root cause, when user accepts popup, it creates CookieConsent.

Could you please check to enable Secury and define as HTTPOnly?

Thanks.

 

3

• 

  Kenan

  • November 07, 2018 09:45

  Hi Manfred,

  Thanks for reaching out!

  Cookiebot is a javascript solution.

  When a user consents, the CookieConsent cookie is created by Cookiebot. Javascript cannot set or manipulate HTTPOnly cookies, why setting the HTTPOnly attribute on CookieConsent is not possible. 

  Setting the Secure attribute means that the cookie will only be sent through secure channels (HTTPS). Unfortunately, we cannot force all our users to use HTTPS, which is why the Secure flag is not set. Maybe (no promise), in a future version of Cookiebot, users could get the opportunity to choose whether or not the secure flag should be set on their websites. 

   

  0
• 

  Claus Harup

  • August 30, 2019 07:53

  Any news on how:

  "users could get the opportunity to choose whether or not the secure flag should be set on their websites"

  .... this is really important!!!

   

  1
• 

  Alex

  • December 02, 2019 15:21

  Hi Kenan, Any news on this topic?

  1

Please sign in to leave a comment.