Hi,

During a penetration test the following finding was addressed by a security accountant

Session cookie not HTTPOnly: The session cookies 'SPWorkLoadAttribution' and 'ScaleCompatibilityDeviceId' are not as HTTPOnly marked. This means that it can be stolen through Cross Site Scripting (XSS). A attacker who has a valid session cookie can impersonate an authenticated user within the web application. This finding was found on: https://'companyname'.sharepoint.com  Sharepoint environment SCAN Recommendation: Mark session cookies as HTTPOnly.

Question:

Is it possible for us to set this setting for SharePoint online?

KR,