We recently had a security assessment of our Sonarqube instance.
One finding showed “TLS cookie without secure flag” when using Burp Suite get /sonar/api/components/search_projects. The report said “The cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.” I need to know if there is a setting to set the flags for api calls like this or if this is expected behavior. In that case, a response from SonarSource would be helpful to share with our assessors. Any assistance is appreciated.
- SonarQube Enterprise Edition version 7.9.4