Cookies that store sensitive data (like session tokens or auth state) are vulnerable to interception if they lack security flags. Without the Secure flag, cookies can be transmitted in cleartext over unencrypted HTTP connections. Without the HttpOnly flag, client-side scripts can access the cookie, making it vulnerable to theft via Cross-Site Scripting (XSS).
To resolve this vulnerability, follow these config changes or developer practices:
After applying the remediation, run an external attack-surface scan to verify that the vulnerability is no longer detected by WebScanify.
Run a free security scan now to identify missing headers, outdated JS, and other deployment vulnerabilities.