After running an Alienvault USM scan against Jira, it found a medium vulnerability:
Port 443 'Vulnerability Detection Result: The cookies: Set-Cookie: atlassian.xsrf.token=xxxxxxxxxxxxxxxxxxxxx|lout; Path=/ are missing the "httpOnly" attribute. Insight: The flaw is due to a cookie is not using the 'httpOnly' attribute.'
Looking at the network packets I can see that there are two cookies:
JSESSIONID has two attributes - 'secure: true' & 'httpOnly: true'
atlassian.xsrf.token has only one attribute - 'secure: true'
Is there a way to set the 'httpOnly: true' attribute on the atlassian.xsrf.token cookie.
Thanks in advance.
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
We're bringing product updates and pro tips on teamwork to ten cities around the world.Save your spot