If you have a load balancer you will need to add these attributes there as 
well...



Sent from my T-Mobile 4G LTE Device


-------- Original message --------
From: Sumit Bhardwaj <sumit.bhard...@gmail.com>
Date: 7/20/19 8:52 AM (GMT-05:00)
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Security vulnerabilities with tomcat 9

Hi,

We are using tomcat 9 and getting following two vulnerabilities in security
scans.

Cookie Does Not Contain The "secure" Attribute (1)
 Cookie Does Not Contain The "HTTPOnly" Attribute (1)


We have done things mentioned in
https://geekflare.com/secure-cookie-flag-in-tomcat/

<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>

and also updating the *context.xml for *useHttpOnly="true"
It has not helped.

We also tried updating our web application's web.xml with the
cookie-config, but it has also not helped.

What else do we need to do?

Best
Sumit

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to