Hi, We have client that is currently undergoing PCI Audit, and they company keeps flaggin up the following
Cookie Does Not Contain The "secure" Attribute port 443 If the associated risk of a compromised account is high, apply the "secure" attribute to cookies and force all sensitive requests to be sent via HTTPS This is on their OWA in Exchange 2013, my googling only finds how to set this in OWA 2007 and 2010 by adding the follwoing into the web.config <httpCookies httpOnlyCookies="true" requireSSL="true"/> I can only find mention that this is not needed in 2013 but I need to know how to set it or how to explain to the PCI company that it is not needed in 2013, as 2013 has its own XSS protection. Thanks Graeme -- Good news everyone, you have just received an e-mail from me!
