TLS Cookie without secure flag set

We recently had a security assessment of our Sonarqube instance.

One finding showed “TLS cookie without secure flag” when using Burp Suite get /sonar/api/components/search_projects. The report said “The cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.” I need to know if there is a setting to set the flags for api calls like this or if this is expected behavior. In that case, a response from SonarSource would be helpful to share with our assessors. Any assistance is appreciated.

We’re running:

  • SonarQube Enterprise Edition version 7.9.4


Welcome to the community!

Your version is past EOL. You should upgrade to either the latest version or the current LTS at your earliest convenience. Your upgrade path is:

7.9.4 → 8.9.8 → 9.4 (last step optional)

You may find the Upgrade Guide and the LTS-to-LTS Upgrade Notes helpful. If you have questions about upgrading, feel free to open a new thread for that here.

If your error persists after upgrade, please come back to us.