cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
stefanie_pachne
Dynatrace Organizer
Dynatrace Organizer

Self Service Summary

Security Team is reporting "missing httpOnly flag for dtCookie" or "Dynatrace cookies are vulnerable because httpOnly attribute is not set".

 

Issue Solution Tasks Alternative(s)
httpOnly flag not set on dtCoockie Explain why httpOnly is not supported - see below. Check below information and explain it to your Security Team

Dynatrace supports the Secure cookie attribute - see below.

Submit a Support ticket if you have additional questions or concerns.

 

RUM correlation requires the dtCookie and dtPC cookies to be on web requests in order to link them to user actions. However, because dtCookie is part of the beacon and because the RUM JavaScript sets and modifies these cookies, they don't support the HttpOnly flag. HttpOnly cookies are inaccessible to JavaScript, so the RUM JavaScript cannot set and modify such cookies. See Cookies for complete details.

 

You can add the Secure cookie attribute to all Dynatrace cookies to ensure that browsers send these cookies only over secure connections. Before enabling the Secure cookie attribute, make sure that your application is completely served over secure connections. See Secure cookies for more information.

Version history
Last update:
‎24 Jan 2024 10:29 AM
Updated by:
Comments
ChadTurner
DynaMight Legend
DynaMight Legend

@stefanie_pachne do we know what JS library version this applies to?

stefanie_pachne
Dynatrace Organizer
Dynatrace Organizer

@ChadTurner this is a more general, typical scan result regarding Dynatracte cookies, independent of JS library versions.