ASV scan vulnerability: Cookie Does Not Contain The "secure" Attribute

I tried setting my encryption mode to Full (strict) and have Always Use HTTPS ON yet I keep failing the AVS security scan. Why is this not working? Do I need to wait a day or something for the setting to propagate?

Post the URL where the cookie is set.

https://hazybowls.com/

That URL doesnt seem to set any cookies, except Cloudflare’s which comes with the “secure” flag.

$ curl -I https://hazybowls.com/
HTTP/2 200
date: Tue, 31 Dec 2019 08:38:32 GMT
content-type: text/html; charset=UTF-8
set-cookie: __cfduid=xxxx; expires=Thu, 30-Jan-20 08:38:31 GMT; path=/; domain=.hazybowls.com; HttpOnly; SameSite=Lax; Secure
cache-control: no-store, no-cache, must-revalidate
cf-railgun: direct (starting new WAN connection)
expires: Thu, 19 Nov 1981 08:52:00 GMT
link: <https://hazybowls.com/wp-json/>; rel="https://api.w.org/"
link: <https://hazybowls.com/>; rel=shortlink
pragma: no-cache
referrer-policy:
vary: User-Agent
x-litespeed-cache: hit
x-powered-by: PHP/7.3.13
x-turbo-charged-by: LiteSpeed
cf-cache-status: DYNAMIC
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
server: cloudflare
2 Likes

Right, I understand that. I am trying to fix it. If it comes with the secure tag, why is my ASV scan saying “The cookie does not contain the “secure” attribute.” even after setting the encryption to Full (strict) and Always Use HTTPS to ON?

Apperently my Cloudflare API wasn’t synced with LiteSpeed via my LS settings in the wordpress admin panel. Could this have affected this setting? I just not set it on, added my global api key, email and domain.

Lastly, would this setting alleviate this issue?

Thats a question for your AV vendor I am afraid.

This topic was automatically closed after 14 days. New replies are no longer allowed.