You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We are using Azure function .net SDK for writing httptrigger, timetrigger azure functions. When we ran the SAST scan using Checkmarx, we are getting following two issues:
The web application's IWebJobsStartup method creates a cookie Startup, at line -- ----------/Startup.cs, and returns it in the response. However, the application is not configured to automatically set the cookie with the "httpOnly" attribute, and the code does not explicitly add this to the cookie.
Startup.cs application configuration file, at line --,
does not define sensitive application cookies with the "secure" flag, which could cause the client to send those
cookies in plaintext over an insecure network communication (HTTP). This may lead to a Session Hijacking
attack.
We have already added cookiepolices for them, but still getting the issue:
public class Startup : IWebJobsStartup
{
public void Configure(IWebJobsBuilder builder)
{
builder.Services.AddScoped<IDataProcessingRepository, DataProcessingRepository>();
builder.Services.Configure(options =>
{
options.Secure = Microsoft.AspNetCore.Http.CookieSecurePolicy.Always;
options.HttpOnly = Microsoft.AspNetCore.CookiePolicy.HttpOnlyPolicy.Always;
});
}
}
The text was updated successfully, but these errors were encountered:
We are using Azure function .net SDK for writing httptrigger, timetrigger azure functions. When we ran the SAST scan using Checkmarx, we are getting following two issues:
does not define sensitive application cookies with the "secure" flag, which could cause the client to send those
cookies in plaintext over an insecure network communication (HTTP). This may lead to a Session Hijacking
attack.
We have already added cookiepolices for them, but still getting the issue:
public class Startup : IWebJobsStartup
{
public void Configure(IWebJobsBuilder builder)
{
builder.Services.AddScoped<IDataProcessingRepository, DataProcessingRepository>();
builder.Services.Configure(options =>
{
options.Secure = Microsoft.AspNetCore.Http.CookieSecurePolicy.Always;
options.HttpOnly = Microsoft.AspNetCore.CookiePolicy.HttpOnlyPolicy.Always;
});
}
}
The text was updated successfully, but these errors were encountered: