https://community.dynatrace.com/t5/Troubleshooting/Resolving-missing-httpOnly-flag-dtcookie-vulnerability/ta-p/216936 <H2>Self Service Summary</H2> <P><SPAN>Security Team is reporting "missing httpOnly flag for dtCookie" or "Dynatrace cookies are vulnerable because httpOnly attribute is not set".</SPAN></P> <P>&nbsp;</P> <TABLE> <THEAD> <TR> <TH>Issue</TH> <TH>Solution</TH> <TH>Tasks</TH> <TH>Alternative(s)</TH> </TR> </THEAD> <TBODY> <TR> <TD>httpOnly flag not set on dtCoockie</TD> <TD>Explain why httpOnly is not supported - see below.</TD> <TD><SPAN>Check below information and explain it to your Security Team</SPAN></TD> <TD> <P>Dynatrace supports the Secure cookie attribute - see below.</P> <P>Submit a Support ticket if you have additional questions or concerns.</P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P><SPAN>RUM correlation requires the&nbsp;</SPAN><CODE>dtCookie</CODE><SPAN>&nbsp;and&nbsp;</SPAN><CODE>dtPC</CODE><SPAN>&nbsp;cookies to be on web requests in order to link them to user actions. However, because&nbsp;</SPAN><CODE>dtCookie</CODE><SPAN>&nbsp;is part of the beacon and because the RUM JavaScript sets and modifies these cookies, they don't support the&nbsp;</SPAN><CODE>HttpOnly</CODE><SPAN>&nbsp;flag. <CODE>HttpOnly</CODE>&nbsp;cookies are inaccessible to JavaScript, so the RUM JavaScript cannot set and modify such cookies. See&nbsp;</SPAN><A class="anchor" title="Learn about first-party cookie usage in Dynatrace." href="https://www.dynatrace.com/support/help/manage/data-privacy-and-security/data-privacy/cookies" target="_blank" rel="noopener">Cookies</A><SPAN>&nbsp;for complete details.</SPAN></P> <P>&nbsp;</P> <P>You can add the<SPAN>&nbsp;</SPAN><CODE>Secure</CODE><SPAN>&nbsp;</SPAN>cookie attribute to all Dynatrace cookies to ensure that browsers send these cookies only over secure connections.&nbsp;<SPAN>Before enabling the</SPAN><SPAN>&nbsp;</SPAN><CODE>Secure</CODE><SPAN>&nbsp;</SPAN><SPAN>cookie attribute, make sure that your application is completely served over secure connections. See </SPAN><A style="font-family: inherit; background-color: #ffffff;" href="https://docs.dynatrace.com/docs/manage/data-privacy-and-security/data-privacy/cookies#secure-cookies" target="_blank" rel="noopener">Secure cookies</A><SPAN> for more information.</SPAN></P> Tue, 21 Oct 2025 16:19:37 GMT stefanie_pachne 2025-10-21T16:19:37Z https://community.dynatrace.com/t5/Troubleshooting/Resolving-missing-httpOnly-flag-dtcookie-vulnerability/ta-p/216936 <H2>Self Service Summary</H2> <P><SPAN>Security Team is reporting "missing httpOnly flag for dtCookie" or "Dynatrace cookies are vulnerable because httpOnly attribute is not set".</SPAN></P> <P>&nbsp;</P> <TABLE> <THEAD> <TR> <TH>Issue</TH> <TH>Solution</TH> <TH>Tasks</TH> <TH>Alternative(s)</TH> </TR> </THEAD> <TBODY> <TR> <TD>httpOnly flag not set on dtCoockie</TD> <TD>Explain why httpOnly is not supported - see below.</TD> <TD><SPAN>Check below information and explain it to your Security Team</SPAN></TD> <TD> <P>Dynatrace supports the Secure cookie attribute - see below.</P> <P>Submit a Support ticket if you have additional questions or concerns.</P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P><SPAN>RUM correlation requires the&nbsp;</SPAN><CODE>dtCookie</CODE><SPAN>&nbsp;and&nbsp;</SPAN><CODE>dtPC</CODE><SPAN>&nbsp;cookies to be on web requests in order to link them to user actions. However, because&nbsp;</SPAN><CODE>dtCookie</CODE><SPAN>&nbsp;is part of the beacon and because the RUM JavaScript sets and modifies these cookies, they don't support the&nbsp;</SPAN><CODE>HttpOnly</CODE><SPAN>&nbsp;flag. <CODE>HttpOnly</CODE>&nbsp;cookies are inaccessible to JavaScript, so the RUM JavaScript cannot set and modify such cookies. See&nbsp;</SPAN><A class="anchor" title="Learn about first-party cookie usage in Dynatrace." href="https://www.dynatrace.com/support/help/manage/data-privacy-and-security/data-privacy/cookies" target="_blank" rel="noopener">Cookies</A><SPAN>&nbsp;for complete details.</SPAN></P> <P>&nbsp;</P> <P>You can add the<SPAN>&nbsp;</SPAN><CODE>Secure</CODE><SPAN>&nbsp;</SPAN>cookie attribute to all Dynatrace cookies to ensure that browsers send these cookies only over secure connections.&nbsp;<SPAN>Before enabling the</SPAN><SPAN>&nbsp;</SPAN><CODE>Secure</CODE><SPAN>&nbsp;</SPAN><SPAN>cookie attribute, make sure that your application is completely served over secure connections. See </SPAN><A style="font-family: inherit; background-color: #ffffff;" href="https://docs.dynatrace.com/docs/manage/data-privacy-and-security/data-privacy/cookies#secure-cookies" target="_blank" rel="noopener">Secure cookies</A><SPAN> for more information.</SPAN></P> Tue, 21 Oct 2025 16:19:37 GMT https://community.dynatrace.com/t5/Troubleshooting/Resolving-missing-httpOnly-flag-dtcookie-vulnerability/ta-p/216936 stefanie_pachne 2025-10-21T16:19:37Z https://community.dynatrace.com/t5/Troubleshooting/Resolving-missing-httpOnly-flag-dtcookie-vulnerability/tac-p/217257#M264 <P><a href="https://community.dynatrace.com/t5/user/viewprofilepage/user-id/28409">@stefanie_pachne</a>&nbsp;do we know what JS library version this applies to?</P> Fri, 07 Jul 2023 13:29:26 GMT https://community.dynatrace.com/t5/Troubleshooting/Resolving-missing-httpOnly-flag-dtcookie-vulnerability/tac-p/217257#M264 ChadTurner 2023-07-07T13:29:26Z https://community.dynatrace.com/t5/Troubleshooting/Resolving-missing-httpOnly-flag-dtcookie-vulnerability/tac-p/217664#M266 <P><a href="https://community.dynatrace.com/t5/user/viewprofilepage/user-id/14877">@ChadTurner</a>&nbsp;this is a more general, typical scan result regarding Dynatracte cookies, independent of JS library versions.</P> Wed, 12 Jul 2023 08:00:45 GMT https://community.dynatrace.com/t5/Troubleshooting/Resolving-missing-httpOnly-flag-dtcookie-vulnerability/tac-p/217664#M266 stefanie_pachne 2023-07-12T08:00:45Z