V-206437
SV-206437r961632_rule
CAT II
Cookies exchanged between the web server and the client, such as session cookies, must have cookie properties set to prohibit client-side scripts from reading the cookie data.
From: Web Server Security Requirements Guide (V4R4)
Description
<VulnDiscussion>A cookie can be read by client-side scripts easily if cookie properties are not set properly. By allowing cookies to be read by the client-side scripts, information such as session identifiers could be compromised and used by an attacker who intercepts the cookie. Setting cookie properties (i.e. HttpOnly property) to disallow client-side scripts from reading cookies better protects the information inside the cookie.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Check Procedure
Review the web server documentation and deployed configuration to determine how to disable client-side scripts from reading cookies.
If the web server is not configured to disallow client-side scripts from reading cookies, this is a finding.
Fix Text
Configure the web server to disallow client-side scripts the capability of reading cookie information.
CCI Reference
CCI-002418- Created
- 2026-04-07 20:08:40
- Last Updated
- 2026-04-07 20:08:40