05 Jul 2023 08:54 AM - edited 24 Jan 2024 10:29 AM
Security Team is reporting "missing httpOnly flag for dtCookie" or "Dynatrace cookies are vulnerable because httpOnly attribute is not set".
Issue | Solution | Tasks | Alternative(s) |
---|---|---|---|
httpOnly flag not set on dtCoockie | Explain why httpOnly is not supported - see below. | Check below information and explain it to your Security Team |
Dynatrace supports the Secure cookie attribute - see below. Submit a Support ticket if you have additional questions or concerns. |
RUM correlation requires the dtCookie
and dtPC
cookies to be on web requests in order to link them to user actions. However, because dtCookie
is part of the beacon and because the RUM JavaScript sets and modifies these cookies, they don't support the HttpOnly
flag. HttpOnly
cookies are inaccessible to JavaScript, so the RUM JavaScript cannot set and modify such cookies. See Cookies for complete details.
You can add the Secure
cookie attribute to all Dynatrace cookies to ensure that browsers send these cookies only over secure connections. Before enabling the Secure
cookie attribute, make sure that your application is completely served over secure connections. See Secure cookies for more information.
@ChadTurner this is a more general, typical scan result regarding Dynatracte cookies, independent of JS library versions.