If you have a load balancer you will need to add these attributes there as well...
Sent from my T-Mobile 4G LTE Device -------- Original message -------- From: Sumit Bhardwaj <sumit.bhard...@gmail.com> Date: 7/20/19 8:52 AM (GMT-05:00) To: Tomcat Users List <users@tomcat.apache.org> Subject: Security vulnerabilities with tomcat 9 Hi, We are using tomcat 9 and getting following two vulnerabilities in security scans. Cookie Does Not Contain The "secure" Attribute (1) Cookie Does Not Contain The "HTTPOnly" Attribute (1) We have done things mentioned in https://geekflare.com/secure-cookie-flag-in-tomcat/ <cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config> and also updating the *context.xml for *useHttpOnly="true" It has not helped. We also tried updating our web application's web.xml with the cookie-config, but it has also not helped. What else do we need to do? Best Sumit --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org