httponly cookies Sharepoint Online

New Contributor



During a penetration test the following finding was addressed by a security accountant

Session cookie not HTTPOnly: The session cookies 'SPWorkLoadAttribution' and 'ScaleCompatibilityDeviceId' are not as HTTPOnly marked. This means that it can be stolen through Cross Site Scripting (XSS). A attacker who has a valid session cookie can impersonate an authenticated user within the web application. This finding was found on: https://'companyname'  Sharepoint environment SCAN Recommendation: Mark session cookies as HTTPOnly.



Is it possible for us to set this setting for SharePoint online?



0 Replies