Description
When the Domain attribute is present in the Set-Cookie header, browsers send the cookie to any subdomains of the specified domain. This can result in unintended data exposure and potential security risks, particularly if sensitive information is stored in the cookie.
Recommendation
To restrict cookie access to the current domain only, remove the Domain attribute from the Set-Cookie header. This ensures that the cookie is not accessible to subdomains, thereby reducing the risk of data leakage.
References
Related Issues
- Cookie Accessible for Subdomains - Vulnerability
- Session Cookie without HttpOnly Flag - Vulnerability
- X-Content-Type-Options Header is Missing - Vulnerability
- Session Cookie without Secure Flag - Vulnerability
- Tags:
- HTTP Headers
- Cookie
- Data Security
- Application Misconfiguration
Anything's wrong? Let us know Last updated on May 13, 2024