Recent security scans of ArcGIS Portal and ArcGIS Server raised security concerns around use of these values being assigned in cookies to protect and validate their use.
"HTTPOnly" - Cookies without the "HTTPOnly" attribute are permitted to be accessed via JavaScript. Cross-site scripting attacks can steal cookies which could lead to user impersonation or compromise of the application account.
"secure" - Cookies with the "secure" attribute are only permitted to be sent via HTTPS. Cookies sent via HTTP expose an unsuspecting user to sniffing attacks that could lead to user impersonation or compromise of the application account.
Hello @DEWright_CA , please can you confirm the versions and security patch levels of your ArcGIS Portal and ArcGIS Server.
Hi Chris,
I have the same case as DEWright and my ArcGIS Enterprise version is 11.3 with all current security patches applied. Are you saying that the security patches had already addressed these concerns? If yes, can you mention which security patches specifically to ensure that it is applied (although the scan was performed after security patches were applied).
Thank you
Hello @AhmadAwada1 no, I'm not saying I expect those concerns to be addressed in particular patches or versions. I wanted to add information to this Idea by confirming that these concerns do occur in a General Availability version that is fully patched.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.