Description
The presence of the Domain attribute in the Set-Cookie header instructs browsers to send the cookie to any subdomains of the specified domain. This can lead to unintended data exposure and potential security risks if sensitive information is stored in the cookie.
Recommendation
To limit cookie access to the current domain only, remove the Domain attribute from the Set-Cookie header. This ensures that the cookie is not accessible to subdomains, reducing the risk of data leakage.
References
Related Issues
- Session Cookie Accessible for Subdomains - Vulnerability
- Cookie without HttpOnly Flag - Vulnerability
- Cookie without SameSite Flag - Vulnerability
- Cookie without Secure Flag - Vulnerability
- Tags:
- HTTP Headers
- Cookie
- Data Security
- Application Misconfiguration
Anything's wrong? Let us know Last updated on May 13, 2024