We are using sonarqube 9.9.2 and have been advised to enable httpOnly and Secure flag. I checked for documentation but could not find anything. Would appreciate any help related to it. Thank you
Hey there.
SonarQube enables these when appropriate (when SonarQube detects it is being served over HTTPS, it will set this cookie), and you should not enable them yourselves.
Certain cookies (namely XSRF-TOKEN) are read by the web application, and therefore cannot be marked as HttpOnly. You can read a discussion about this here.
Ultimately, you should not mess with these cookies or add any additional falgs.
1 Like