We recently had a security assessment of our Sonarqube instance.
One finding showed “TLS cookie without secure flag” when using Burp Suite get /sonar/api/components/search_projects. The report said “The cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.” I need to know if there is a setting to set the flags for api calls like this or if this is expected behavior. In that case, a response from SonarSource would be helpful to share with our assessors. Any assistance is appreciated.
I’m resurfacing this issue. We were able to work around this issue in the past, but cannot mitigate the same way now. We have had another security scan on our newly upgraded server running version 10.6 and again we were presented with a finding of TLS cookies without a secure flag set. I’ve seen another similar question from 2021 that was also not addressed, so I’m hoping I can get this resolved. If there is a more secure area to share details, please let me know. The source scanning is Burp Suites, so I’m hoping this is a known issue with a known solution on how best to configure at the server to address. At issue:
The following cookies were issued by the application and do not have the secure flag set:
XSRF-TOKEN
JWT-SESSION
The cookies in the report appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function. Is there a common response to this or is there a way to confirm whether this is a false positive or an issue that needs to be remediated. I didn’t find any recommendations on hardening cookies, so figured I’d start here. Hopefully it helps that we’re on the latest version of Sonarqube. Thanks