Cookie without HTTPONLY flag

bruno.bergero · 2024-10-10T09:26:56.300Z

I am using the version 17 of bubble and for now we cannot update the app, but the security team asked to enable the cookie httponly flag.

Is it possible to solve this vulnerability without upgrading or is it mandatory to update the app and the problem has been solver in a newer version?

Edit: previous version asked to disable the flag, but after speaking with the sec team I understood it is the opposite they are demanding.

lindsay_knowcode · 2024-10-10T10:39:24.454Z

bruno.bergero:

disable the cookie httponly flag

I think you need a better security team if they don’t understand what they are requesting - or did you mis-type something here?

Httponly is fundamental to security - https://owasp.org/www-community/HttpOnly - turning it off is a Bad idea.

bruno.bergero · 2024-10-10T13:59:55.536Z

Ops, my bad, I talked to sec and they agree with you, so the issue here is that the flag is not present and we would like to add it to the cookies.

lindsay_knowcode · 2024-10-10T20:43:28.559Z

HttpOnly is set on the Bubble cookies as you’d expected.

bruno.bergero · 2024-10-17T08:49:23.859Z

We tested it and the cookie does not have the HttpOnly Attribute.

lindsay_knowcode · 2024-10-17T12:19:41.804Z

Perhaps I don’t understand the cookie to which you refer. Not to worry - Bubble support will happliy answer your specific support enquiries.

bruno.bergero · 2024-10-18T08:31:00.824Z

The external company that did a security audit said they did not found the httponly attribute in the cookie of this response:

They requested that we add the attribute. If it is enabled as you said, why doesn’t it appear in this response? Does it appear somewhere else?