Security Scans report "COOKIES WITHOUT HTTPONLY/SECURE FLAG SET" used by Dynatrace Synthetic (HTTP) monitors

francois_jouber — Fri, 08 Aug 2025 09:13:40 GMT

My customer has reported that their security scans report "COOKIES WITHOUT HTTPONLY/SECURE FLAG SET" used by Dynatrace Synthetic (HTTP) monitors that they use.

I understand that Dynatrace can't use HTTPOnly flags since JS can't work with this. But I should be able to set a Secure Cookie attribute for the synthetic monitor - This capability is nicely documented for Web applications (https://docs.dynatrace.com/managed/shortlink/cookies#secure-cookies) but not for Synthetic monitors. I presume I can enable Cookies for the synthetic monitor via Monitor > Settings > General > Cookies but the documentation (https://docs.dynatrace.com/managed/shortlink/http-monitors-config#setup) doesn't provide clear instructions on how to do this.

Please help.

Thank you

Francois

Re: Security Scans report "COOKIES WITHOUT HTTPONLY/SECURE FLAG SET" used by Dynatrace Synthetic (HTTP) monitors

HannahM — Fri, 22 Aug 2025 13:11:30 GMT

For browser monitors, if the browser monitors an application with RUM enabled, it will pick up this setting from the RUM application.
For HTTP Monitors, I wouldn't expect any cookies to be set, as no browser is involved. Could you confirm which cookies you are referring to? This might be easier to answer in a chat/ support ticket, as you can then provide links to the relevant monitors.

topic Re: Security Scans report "COOKIES WITHOUT HTTPONLY/SECURE FLAG SET" used by Dynatrace Synthetic (HTTP) monitors in Synthetic Monitoring

Security Scans report "COOKIES WITHOUT HTTPONLY/SECURE FLAG SET" used by Dynatrace Synthetic (HTTP) monitors

Re: Security Scans report "COOKIES WITHOUT HTTPONLY/SECURE FLAG SET" used by Dynatrace Synthetic (HTTP) monitors