Cookie Accessible for Subdomains
Impact: Informational
Description
The presence of the Domain
attribute in the Set-Cookie
header instructs browsers to send the cookie to any subdomains of the specified domain. This can lead to unintended data exposure and potential security risks if sensitive information is stored in the cookie.
Recommendation
To limit cookie access to the current domain only, remove the Domain
attribute from the Set-Cookie
header. This ensures that the cookie is not accessible to subdomains, reducing the risk of data leakage.
References
👉 You might also like:
Session Cookie Accessible for Subdomains - Vulnerability
Cookie without HttpOnly Flag - Vulnerability
Cookie without SameSite Flag - Vulnerability
Cookie without Secure Flag - Vulnerability
Last updated on May 13, 2024