Cookie without HTTPONLY flag

Questions
1

I am using the version 17 of bubble and for now we cannot update the app, but the security team asked to enable the cookie httponly flag.

Is it possible to solve this vulnerability without upgrading or is it mandatory to update the app and the problem has been solver in a newer version?

Edit: previous version asked to disable the flag, but after speaking with the sec team I understood it is the opposite they are demanding.

2

I think you need a better security team :slight_smile: if they don’t understand what they are requesting - or did you mis-type something here?

Httponly is fundamental to security - https://owasp.org/www-community/HttpOnly - turning it off is a Bad idea.

3

Ops, my bad, I talked to sec and they agree with you, so the issue here is that the flag is not present and we would like to add it to the cookies.

1 Like
4

HttpOnly is set on the Bubble cookies as you’d expected.

5

We tested it and the cookie does not have the HttpOnly Attribute.

6

Perhaps I don’t understand the cookie to which you refer. Not to worry - Bubble support will happliy answer your specific support enquiries. :slight_smile:

7

The external company that did a security audit said they did not found the httponly attribute in the cookie of this response:

response
response1920×1074 158 KB

request
request2156×878 287 KB

They requested that we add the attribute. If it is enabled as you said, why doesn’t it appear in this response? Does it appear somewhere else?