You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm running opnsense both 20.1.9_1 and 20.7 on ESXi 6.7. Now I ran a vulnerability scan with Greenbone Security Advisor Community Edition which reports the following for both systems:
_Summary
The host is running a server with SSL/TLS and is prone to information disclosure vulnerability.
Detection Result
The cookies:
Set-Cookie: PHPSESSID=replaced; path=/
are missing the "secure" attribute.
Summary
The application is missing the 'httpOnly' cookie attribute
Detection Result
The cookies:
Set-Cookie: PHPSESSID=replaced; path=/
are missing the "httpOnly" attribute._
I'm using:
HTTPS
System default SSL
No HTTP compression
Ticked: Disable HTTP_REFERER enforcement check
I tried ticking/unticking HSTS but that didn't help either. Am I doing something wrong, what else can I check or is it a bug?
Let me know what further information is required to assess this issue. I've seen release notes 17.7 stating these things should be added / fixed, but GSA reports otherwise.
The text was updated successfully, but these errors were encountered:
Are you security-auditing the HTTP (Port 80) -> HTTPS (Port 443) redirect? If unsure you can diagnose this by turning off the redirect under System: Settings: Administration and run the audit again.
In general the report would mention target IP+Port and other metrics that are relevant to the audit, but I don't see them here.
I'm running opnsense both 20.1.9_1 and 20.7 on ESXi 6.7. Now I ran a vulnerability scan with Greenbone Security Advisor Community Edition which reports the following for both systems:
_Summary
The host is running a server with SSL/TLS and is prone to information disclosure vulnerability.
Detection Result
The cookies:
Set-Cookie: PHPSESSID=replaced; path=/
are missing the "secure" attribute.
Summary
The application is missing the 'httpOnly' cookie attribute
Detection Result
The cookies:
Set-Cookie: PHPSESSID=replaced; path=/
are missing the "httpOnly" attribute._
I'm using:
I tried ticking/unticking HSTS but that didn't help either. Am I doing something wrong, what else can I check or is it a bug?
Let me know what further information is required to assess this issue. I've seen release notes 17.7 stating these things should be added / fixed, but GSA reports otherwise.
The text was updated successfully, but these errors were encountered: