Below error may be provided by the PCI scan team:
Insecure configuration of Cookie attributes.
"A Cookie Vulnerability helps an attacker to gain access to session information stored in cookies. It may also be used as a 'locator' attack that precedes a Cross-Site Scripting (XSS) or Man-In-The-Middle attack. When looking for Cookie Vulnerabilities, an attacker will first observe cookies through various HTTP proxies and check their attributes. The attacker will then try to steal cookies of various users by employing multiple attacks. If successful, he/she may be able to get sensitive information which can be further used in an illegitimate way."
If you received such an error, it means your apache and php.ini needs to be tweaked using below settings:
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=300; includeSubDomains; preload"
Header always edit Set-Cookie (.*) "$1;HttpOnly;Secure"
Header always set X-Frame-Options "deny"
Header setifempty Referrer-Policy: same-origin
Header set X-XSS-Protection "1; mode=block"
Header set X-Permitted-Cross-Domain-Policies "none"
Header set Referrer-Policy "no-referrer"
Header set X-Content-Type-Options: nosniff
</IfModule>
If you are using a java application then no additional config is required.
If your application is php based then you need to adjust values in php.ini as well:
session.cookie_secure = On
session.cookie_httponly = On
Related article:
Secure cookie with HttpOnly and Secure flag in Apache | Global Security and Marketing Solutions (gss-portal.com)
