topic Re: PCI Compliance Failure in APIs & Integrations

PCI Compliance Failure

joseph_costello — Mon, 12 Oct 2020 15:34:37 GMT

Recently my website has started to fail PCI Compliance scans through Trustwave. Part of it is related to Hub Spot cookies.

DetectionDetails: Cookie Vulnerabilities Found __hssrc=1 Path = / Host = 0.0.0.0 Cookie does not have secure attribue in HTTPS Cookie does not have an HTTPOnly Attribute Cookie Change Observed on CLIENTside

We've migrated to the external merchant forms so we no longer need to worry about the PCI scan here, but I wanted to pass this along so Hubspot was aware. I'm not sure if the secure attribute can be set on the HS cookies, but might want to look into it. There were also other non-session cookies flagged in the scan to with other frameworks we used, so I don't know if its really a problem with them, or more of a problem with Trustwave's automated session cookie detection.

Re: PCI Compliance Failure

dennisedson — Mon, 12 Oct 2020 17:51:43 GMT

@joseph_costello

Thank you so much for flagging! I Will get this to the team to check it out

Re: PCI Compliance Failure

Anonymous — Wed, 07 Apr 2021 15:25:41 GMT

@dennisedson

Any developments on that front? We'd also need the cookies to be HttpOnly for security reasons.

Re: PCI Compliance Failure

dennisedson — Wed, 07 Apr 2021 16:19:18 GMT

@Anonymous , yep there has been development. It is an alpha form and will be released as an in app feature.

I have a reminder set to check in on this later this month 😀 but please feel free to yell at me if I am not responsive.

Re: PCI Compliance Failure

Anonymous — Wed, 07 Apr 2021 16:24:58 GMT

Awesome, thanks for the quick response. Looking forward to that 🙂

Re: PCI Compliance Failure

KT17 — Tue, 20 Jul 2021 08:28:25 GMT

Any update on this? As this is needed for the same above reasons.

Thanks

Re: PCI Compliance Failure

kate4 — Tue, 03 Aug 2021 10:02:02 GMT

Hi @dennisedson !

Are there any updates?

Re: PCI Compliance Failure

dennisedson — Tue, 03 Aug 2021 18:53:49 GMT

@kate4 ,

Glad you asked 😜

If you go here,

you should be able to now select "Use secure cookies only"

"HTTP Only" security issue with hubspot code

PPointPredict — Tue, 11 Jan 2022 22:45:01 GMT

Hi all,

We found the following security issue from WANS scan report

Threat
The cookie does not contain the "HTTPOnly" attribute.
Impact
Cookies without the "HTTPOnly" attribute are permitted to be accessed via JavaScript. Cross-site scripting attacks can steal cookies which could lead to user
impersonation or compromise of the application account.
Solution
If the associated risk of a compromised account is high, apply the "HTTPOnly" attribute to cookies.

Detection Information
Cookie Name(s) messagesUtk, __hssc, __hssrc, __hstc, hubspotutk

Re: PCI Compliance Failure

TNail — Mon, 10 Jun 2024 10:29:24 GMT

@dennisedson setting "Use secure cookies only" fix "secure" attribute for JSESSIONID cookie. But it doesn't fix HTTPOnly attribute. Is there a plan to fix this as well?

Re: PCI Compliance Failure

CDavis45 — Fri, 07 Nov 2025 17:18:07 GMT

@dennisedson, is there any update on this? Maybe a work-around? It's 2025 and my vulnerability scans are now failing do to the lack of HttpOnly.

Re: PCI Compliance Failure

BGarcia09 — Fri, 27 Feb 2026 16:02:27 GMT

@dennisedson Is there any update on this? It's 2026 now and my vulnerability scans still fail. I have enabled "Use secure cookies only" a long time ago.

Re: PCI Compliance Failure

STierney — Thu, 05 Mar 2026 19:12:32 GMT

Hey @BGarcia09 - thanks for following up here!

Aside from re-tagging @dennisedson, I'd also like to tag in @RubenBurdin and @EValdes to see if either of them have any insight on there being any update regarding this.

Shane, Senior Community Moderator