PCI scan failed: Cookie Does Not Contain The "secure" Attribute


#1

Hi,

I have to run PCI DSS Vulnerability scan on my website and it keep failing for the above.

The cookie in question is cfduid

Is it possible to apply the ‘secure’ attribute or could this be a False Positive?


#2

hi @gabby404

CloudFlare sets a mandatory __cfduid cookie that doesn’t have the Secure flag on it. This cookie has no security impact on the site itself and is only used by CloudFlare for whitelisting specific users from security restrictions. As such, it’s presence as the only cookie without the Secure flag should not penalize the site.

info from here & here


#3

We have the same thing come up with our site on automated scans, our QSA was happy with the explanation from Cloudflare


#4

This answer references a cloudflare support article that is no longer available:

From archive.org I see that the page used to say:

The __cfduid cookie is used to override any security restrictions based on the IP address the visitor is coming from. For example, if the visitor is in a coffee shop where there are a bunch of infected machines, but the visitor’s machine is known trusted, then the cookie can override the security setting. It does not correspond to any userid in the web application, nor does the cookie store any personally identifiable information.

Note: This cookie is strictly necessary for site security operations and can’t be turned off.