'httpOnly' not set for cf_use_ob cookie



Our vulnerability scan is saying the ‘cf_use_ob’ cookie does NOT have the httpOnly setting.

We understand this cookie is to do with ‘Offline Browsing’, which we have disabled (so the cookie is set to ‘0’).

We cannot figure out WHEN this cookie is set, nor how we would ensure the httpOnly setting would be set.

Any ideas?

Rich Talbot

I don’t get that cookie though…

If you are setting the cookie as secure but the traffic between your server and CF edge servers are insecure then the cookie would not be passed to the client.

This topic was automatically closed after 30 days. New replies are no longer allowed.