Support » Plugin: Shield Security - Scanners, Security Hardening, Brute Force Protection & Firewall » “Insecure cookie setting: missing HttpOnly flag related to shield-notbot-nonce

  • Resolved Acal

    (@acal)


    Hello. When I scan my site using pentest-tools.com I get the following Medium severity warning which relates to cookies, XXS, and the “shield-notbot-nonce” cookie. Is there a setting I am missing or is there a recommended fix to this otherwise? TIA!

    Insecure cookie setting: missing HttpOnly flag
    COOKIE NAME
    shield-notbot-nonce
    URL
    https://redacted.ie/
    EVIDENCE
    Set-Cookie: shield-notbot-nonce=39731cbcf2; expires=Fri, 20-May-2022 09:15:07 GMT; Max-Age=15; path=/; secure
    Risk description
    A cookie has been set without the <code>HttpOnly</code> flag, which means that it can be accessed by the JavaScript code running inside the web page. If an attacker manages to inject malicious JavaScript code on the page (e.g. by using an XSS attack) then the cookie will be accessible and it can be transmitted to another site. In case of a session cookie, this could lead to session hijacking.
    Recommendation
    Ensure that the HttpOnly flag is set for all cookies.
Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support Jelena

    (@jmisic)

    Hi,

    Thanks for sharing this with us.

    We’re sorry but we can’t comment other services and their reports.

    Regarding cookies in general, we never store any sensitive, personally identifiable information in any cookie at any time.

    The purpose of the ‘shield-notbot-nonce’ cookie is solely designed to work around page caching systems that mostly break Shield’s AntiBot system. If you don’t get the cookie and you use page caching, you’ll break the antibot system.

    We have a dedicated Cookies section here:
    https://www.fernleafsystems.com/wordpress-plugins/policy-addendum-shield-security-plugin/

    Please give this a little bit of read and let us know if you need any further clarifications.

    Thanks,

    Jelena

    Thread Starter Acal

    (@acal)

    Thanks but this is just a cookie security error rather independant of a specific scanning service. It points to a WP Shield Security issue. You might get this error from any number of website security checkers.

    I have already read that article from a prior support thread. It does not help with this security issue.

    Plugin Author Paul

    (@paultgoodchild)

    The original answer to your question is correct. You’re getting a warning from an automated reporting tool that itself has no understanding or context on the purpose of this cookie. We can’t comment or dig into the specifics of reports generated by such services. It’s reporting it as medium severity because the developer of the scanning tool deemed it such… not because it is of medium severity and not because it’s a security issue.

    The purpose of this particular cookie requires that the httpOnly flag is NOT set.

    You said it’s a cookie security error. It’s not. It’s a specific scanning tool saying that it’s a medium level security issue. This is not the case and there is nothing to fix.

    Don’t get me wrong, these tools are important and serve an important role. But they’re not always correct.

    Thanks for your question and I hope our explanation makes sense.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘“Insecure cookie setting: missing HttpOnly flag related to shield-notbot-nonce’ is closed to new replies.