Support » Plugin: Shield Security - Scanners, Security Hardening, Brute Force Protection & Firewall » “Insecure cookie setting: missing HttpOnly flag related to shield-notbot-nonce

  • Resolved Acal


    Hello. When I scan my site using I get the following Medium severity warning which relates to cookies, XXS, and the “shield-notbot-nonce” cookie. Is there a setting I am missing or is there a recommended fix to this otherwise? TIA!

    Insecure cookie setting: missing HttpOnly flag
    Set-Cookie: shield-notbot-nonce=39731cbcf2; expires=Fri, 20-May-2022 09:15:07 GMT; Max-Age=15; path=/; secure
    Risk description
    A cookie has been set without the <code>HttpOnly</code> flag, which means that it can be accessed by the JavaScript code running inside the web page. If an attacker manages to inject malicious JavaScript code on the page (e.g. by using an XSS attack) then the cookie will be accessible and it can be transmitted to another site. In case of a session cookie, this could lead to session hijacking.
    Ensure that the HttpOnly flag is set for all cookies.
Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support Jelena



    Thanks for sharing this with us.

    We’re sorry but we can’t comment other services and their reports.

    Regarding cookies in general, we never store any sensitive, personally identifiable information in any cookie at any time.

    The purpose of the ‘shield-notbot-nonce’ cookie is solely designed to work around page caching systems that mostly break Shield’s AntiBot system. If you don’t get the cookie and you use page caching, you’ll break the antibot system.

    We have a dedicated Cookies section here:

    Please give this a little bit of read and let us know if you need any further clarifications.



    Thread Starter Acal


    Thanks but this is just a cookie security error rather independant of a specific scanning service. It points to a WP Shield Security issue. You might get this error from any number of website security checkers.

    I have already read that article from a prior support thread. It does not help with this security issue.

    Plugin Author Paul


    The original answer to your question is correct. You’re getting a warning from an automated reporting tool that itself has no understanding or context on the purpose of this cookie. We can’t comment or dig into the specifics of reports generated by such services. It’s reporting it as medium severity because the developer of the scanning tool deemed it such… not because it is of medium severity and not because it’s a security issue.

    The purpose of this particular cookie requires that the httpOnly flag is NOT set.

    You said it’s a cookie security error. It’s not. It’s a specific scanning tool saying that it’s a medium level security issue. This is not the case and there is nothing to fix.

    Don’t get me wrong, these tools are important and serve an important role. But they’re not always correct.

    Thanks for your question and I hope our explanation makes sense.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘“Insecure cookie setting: missing HttpOnly flag related to shield-notbot-nonce’ is closed to new replies.