Cookie Set Without HttpOnly Flag
What is it?
If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.
Test case FAQs
When is this test case applicable?
This is applicable for all API endpoints when the Baseline security category is enabled in test plans.
How does it work?
Responses sent by the API server are analyzed for the 'Set-Cookie' header without the 'HttpOnly' flag.
What is the solution?
Ensure that the HttpOnly flag is set for all cookies.