If you have a load balancer you will need to add these attributes there as 

Sent from my T-Mobile 4G LTE Device

-------- Original message --------
From: Sumit Bhardwaj <sumit.bhard...@gmail.com>
Date: 7/20/19 8:52 AM (GMT-05:00)
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Security vulnerabilities with tomcat 9


We are using tomcat 9 and getting following two vulnerabilities in security

Cookie Does Not Contain The "secure" Attribute (1)
 Cookie Does Not Contain The "HTTPOnly" Attribute (1)

We have done things mentioned in


and also updating the *context.xml for *useHttpOnly="true"
It has not helped.

We also tried updating our web application's web.xml with the
cookie-config, but it has also not helped.

What else do we need to do?


To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to