Enabling the Cookie Security Attributes

If you set Client Protocol to HTTPS, you can enable Cookie Security Attributes. If you enable this, the HttpOnly and Secure attributes of cookies will be set to true.

Cookies are inserted by back-end web servers and can be implemented through framework configuration or set-cookie. Secure and HttpOnly in cookies help defend against attacks, such as XSS attacks to obtain cookies, and help defend against cookie hijacking.

If the AppScan scanner detects that the customer site does not insert security configuration fields, such as HttpOnly and Secure, into the cookie of the scan request, it records them as security threats.

Prerequisites

You have selected Dedicated Mode or Cloud Mode - CNAME and added the website you want to protect to WAF.

Constraints

This function is only supported by cloud mode - CNAME and dedicated mode access. The cloud mode - load balancer access does not supported this function.
If the Client Protocol is set to HTTP, the Cookie Security Attributes function is disabled by default and cannot be enabled.

Enabling Cookie Security Attributes

Log in to the WAF console.
Click in the upper left corner and select a region or project.
(Optional) If you have enabled the enterprise project function, in the upper part of the navigation pane on the left, select your enterprise project from the Filter by enterprise project drop-down list. Then, WAF will display the related security data in the enterprise project on the page.
In the navigation pane on the left, click Website Settings.
On the Website Settings page, click the target website domain name.
In the Advanced Settings area, click next to Cookie Security Attributes to enable it.

Figure 1 Cookie Security Attributes

After completing the above configuration, enter the protected domain name in the address box of a browser, open the developer tool, and check whether the HttpOnly and Secure attributes of the cookie are set to true.