Set the system property "glide.cookies.http_only" to true. This reduces (but does not eliminate) the vulnerability to cross-site scripting attacks.
Time to fix
This rule is linked to Common Weakness Enumeration CWE-1004 Sensitive Cookie Without HttpOnly Flag.
Related best practice
This article is based on the ServiceNow support article. See the original article on the ServiceNow support site: ServiceNow HI: Cookies - HTTP Only .
|Cookies - HTTP Only|
|Configuration Type||System Properties (/sys_properties_list.do)|
|Purpose||To mitigate the risk of client side script accessing the protected cookie.|
|Default Behavior||Set to true|
|Workaround||No alternate method available.|
How to configure
- Navigate to /sys_properties_list.do.
- Search for the property.
- Assign the recommended value as shown in the screenshot > Click Update.