We have a critical security requirement to ensure all cookies set on our application’s domain include the HttpOnly flag to mitigate XSS vulnerabilities.
After a thorough internal investigation of both our application’s logic and our company’s servers, we have confirmed that we are not setting a specific cookie that is appearing without this flag.
This leads us to the conclusion that the cookie may be originating from the Bubble platform itself. Could you please help us identify this cookie and advise on how we can enforce the HttpOnly flag on it?
