Is it possible to add the httpOnly attribute to the atlassian.xsrf.token cookie

After running an Alienvault USM scan against Jira, it found a medium vulnerability:

Port 443 'Vulnerability Detection Result: The cookies: Set-Cookie: atlassian.xsrf.token=xxxxxxxxxxxxxxxxxxxxx|lout; Path=/ are missing the "httpOnly" attribute. Insight: The flaw is due to a cookie is not using the 'httpOnly' attribute.'

Looking at the network packets I can see that there are two cookies:

 

JSESSIONID has two attributes - 'secure: true' & 'httpOnly: true'

atlassian.xsrf.token has only one attribute - 'secure: true'

 

Is there a way to set the 'httpOnly: true' attribute on the atlassian.xsrf.token cookie.

Thanks in advance.

 

2 answers

We suffer the same issue - Openvas claims with 5.0 (MEDIUM) security score.

Atlassian - will you please fix this?

i found : 

 

https://confluence.atlassian.com/jira064/preventing-security-attacks-720412500.html#PreventingSecurityAttacks-ConfiguringTomcattouseHttpOnlySessionIDCookies

 

this is related to : https://confluence.atlassian.com/jira064/jira-security-advisory-2010-06-18-720415809.html

 

Open the context.xml file of the Tomcat installation running JIRA in a text editor.

 

Add the following Manager element within the Contextelement of this file:

...
<Context useHttpOnly="true">
  ...
  <Manager/>
  ...
</Context>
...

(info) To disable HttpOnly Session ID cookies, change the value of the useHttpOnly parameter to false.

Suggest an answer

Log in or Sign up to answer
How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Published 15m ago in Jira

5 ways you can make the most of Jira Software and Bitbucket Cloud

As part of the Bitbucket product team I'm always interested in better understanding what kind of impact the use of our tools have on the way you work. In a recent study we conducted of software devel...

3 views 0 2
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you