Hi Team,
We have web vulnerability scanning tool that detect vulnerability. Tool found below issue.
150123 cookie doesnot contain httpOnly attribute
we tried using below options :
- <httpCookies httpOnlyCookies="true" requireSSL="true" /> in web.config
- <outboundRules>
<clear />
<rule name="Add SameSite" preCondition="No SameSite">
<match serverVariable="RESPONSE_Set_Cookie" pattern="." negate="false" />
<action type="Rewrite" value="{R:0}; secure; HttpOnly; SameSite=none" />
</rule>
<rule name="Add Strict-Transport-Security only when using HTTPS" enabled="true">
<match serverVariable="RESPONSE_Strict_Transport_Security" pattern="." />
<conditions>
<add input="{HTTPS}" pattern="on" ignoreCase="true" />
</conditions>
<action type="Rewrite" value="max-age=31536000; includeSubdomains; preload" />
</rule>
<rule name="Remove Server header">
<match serverVariable="RESPONSE_Server" pattern=".+" />
<action type="Rewrite" value="" />
</rule>
<preConditions>
<preCondition name="No SameSite">
<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; secure; HttpOnly; SameSite=none" negate="true" />
</preCondition>
</preConditions>
</outboundRules>
still our site cookie is not showing httpOnly attribute.
Thanks in advance.