GSA reports SSL/TLS: Missing secure and httponly Cookie Attribute
#4253
Comments
|
Are you security-auditing the HTTP (Port 80) -> HTTPS (Port 443) redirect? If unsure you can diagnose this by turning off the redirect under System: Settings: Administration and run the audit again. In general the report would mention target IP+Port and other metrics that are relevant to the audit, but I don't see them here. |
|
GSA reports for both systems: 443/tcp ( should have added that before :) ) "Disable web GUI redirect rule" was unticked for both systems during the scan (and still is). |
|
I ticked "Disable web GUI redirect rule" on one server, ran the vulnerability test again, but the problem still persists. |
|
This issue has been automatically timed-out (after 180 days of inactivity). For more information about the policies for this repository, If someone wants to step up and work on this issue, |
I'm running opnsense both 20.1.9_1 and 20.7 on ESXi 6.7. Now I ran a vulnerability scan with Greenbone Security Advisor Community Edition which reports the following for both systems:
_Summary
The host is running a server with SSL/TLS and is prone to information disclosure vulnerability.
Detection Result
The cookies:
Set-Cookie: PHPSESSID=replaced; path=/
are missing the "secure" attribute.
Summary
The application is missing the 'httpOnly' cookie attribute
Detection Result
The cookies:
Set-Cookie: PHPSESSID=replaced; path=/
are missing the "httpOnly" attribute._
I'm using:
I tried ticking/unticking HSTS but that didn't help either. Am I doing something wrong, what else can I check or is it a bug?
Let me know what further information is required to assess this issue. I've seen release notes 17.7 stating these things should be added / fixed, but GSA reports otherwise.
The text was updated successfully, but these errors were encountered: