Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cookie Does Not Contain The ¨secure¨ Attribute in SaaS



We are working with Dynatrace Saas, with OneAgent

The security department of our
company found a warning security risk.

Cookie Does Not Contain The
¨secure¨ Attribute

Impact: Cookies with “secure”
attribute are one permitted to be sent via HTTPS. Cookies sent via HTTP expose
an unsuspecting user to sniffing attacks that could lead to user impersonation
or compromise of the application account.

HTTP Cookie missing Secure
attribute on port 443.


Could anybody please tell us
if there is an option we could configure to avoid this warning?

I have seen something similar
but in AppMon


Go to Application settings => Advanced:

Here is option you need.



We already set the set the attibute to our application but the the result scan still says the cookie is not secured.

Please anwser the two questions:

Q1. Is there any something else we should configure? Maybe in the two host of our dmz cluster?

Q2. Our two dmz host have the latest available version : OneAgent version, however, the Cookie and header settings requires OneAgent version 1.87 or highter

but the point is the latest version available for us is 1.167....

Available version for us

So I think something is wrong: or the label which ask 1.87 version or why we only can see until 1.167 version...

Thanks a lot.

1.167 is grater version than 1.87 🙂 If after reconfiguration cookie is still unsecure make sure that this applications covers all requests that you are talking about. If you have more than one application or there are some requests in default one it is possible that there are some of them without secure parameter. If not, open support ticket and put link to this questions.