I tried setting my encryption mode to Full (strict) and have Always Use HTTPS ON yet I keep failing the AVS security scan. Why is this not working? Do I need to wait a day or something for the setting to propagate?
Post the URL where the cookie is set.
That URL doesnt seem to set any cookies, except Cloudflare’s which comes with the “secure” flag.
$ curl -I https://hazybowls.com/ HTTP/2 200 date: Tue, 31 Dec 2019 08:38:32 GMT content-type: text/html; charset=UTF-8 set-cookie: __cfduid=xxxx; expires=Thu, 30-Jan-20 08:38:31 GMT; path=/; domain=.hazybowls.com; HttpOnly; SameSite=Lax; Secure cache-control: no-store, no-cache, must-revalidate cf-railgun: direct (starting new WAN connection) expires: Thu, 19 Nov 1981 08:52:00 GMT link: <https://hazybowls.com/wp-json/>; rel="https://api.w.org/" link: <https://hazybowls.com/>; rel=shortlink pragma: no-cache referrer-policy: vary: User-Agent x-litespeed-cache: hit x-powered-by: PHP/7.3.13 x-turbo-charged-by: LiteSpeed cf-cache-status: DYNAMIC expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" server: cloudflare
Right, I understand that. I am trying to fix it. If it comes with the secure tag, why is my ASV scan saying “The cookie does not contain the “secure” attribute.” even after setting the encryption to Full (strict) and Always Use HTTPS to ON?
Apperently my Cloudflare API wasn’t synced with LiteSpeed via my LS settings in the wordpress admin panel. Could this have affected this setting? I just not set it on, added my global api key, email and domain.
Thats a question for your AV vendor I am afraid.
This topic was automatically closed after 14 days. New replies are no longer allowed.