nginx_cookie_flag module #1520
Unanswered
freedog96150
asked this question in
Support Requests
nginx_cookie_flag module
#1520
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
I am failing PCI DSS scans because Wordpress seems to have different ways of handling coookie flags and httponly on the /wp-admin and /wp-login pages. Would love to either have a way of adding in different nginx modules as needed or to have titled module added.
Anyone else running into these issues? or have any suggestions to get the site so that all pages are HttpOnly and/or secure? Is it possible this is a proxy or proxy caching issue?
Below is some text from one of the failed lines in the report.
Service: https
Reference:
https://www.owasp.org/index.php/Testing_for_cookies_attributes_%28O
TG-SESS-002%29
Evidence:
DetectionDetails: Cookie Vulnerabilities Found
wcf_ca_skip_track_data = true
Path = /
Host = masterfitinc.com
Cookie does not have secure attribue in HTTPS
Cookie does not have an HTTPOnly Attribute
Cookie Change Observed on CLIENTside
Request: POST https://masterfitinc.com/wp-admin/admin-ajax.php
HTTP/1.1
Origin: https://masterfitinc.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: application/json, text/javascript, /; q=0.01
Referer: https://masterfitinc.com/checkout/
Beta Was this translation helpful? Give feedback.
All reactions