We have a self-hosted anvil application that we are running security scans on.
It is flagging several warnings for anvil-test-cookie.
Per the answer to this:
That is an essential cookie, so I’m just trying to figure out if it is possible to make changes to this.
Note that all of these warnings are considered “low” priority by the scanning suite.
The warnings generated are:
Cookies with missing, inconsistent or contradictory properties
At least one of the following cookies properties causes the cookie to be invalid or incompatible with either a different property of the same cookie, of with the environment the cookie is being used in. Although this is not a vulnerability in itself, it will likely lead to unexpected behavior by the application, which in turn may cause secondary security issues.
When cookies lack the SameSite attribute, Web browsers may apply different and
sometimes unexpected defaults. It is therefore recommended to add a SameSite
attribute with an appropriate value of either “Strict”, “Lax”, or “None”.
Cookies without HttpOnly flag set
One or more cookies don’t have the HttpOnly flag set. When a cookie is set with the HttpOnly flag, it
instructs the browser that the cookie can only be accessed by the server and not by client-side scripts. This is an important security protection for session cookies.
Cookies can be accessed by client-side scripts.
Cookies without Secure flag set
One or more cookies does not have the Secure flag set. When a cookie is set with the Secure flag, it
instructs the browser that the cookie can only be accessed over secure SSL/TLS channels. This is an
important security protection for session cookies.
Cookies could be sent over unencrypted channels.
Any thoughts on if this is easily fixed or configured? I suspect that some of these are required to be the way they are currently configured in order for Anvil to work.