Recently my website has started to fail PCI Compliance scans through Trustwave. Part of it is related to Hub Spot cookies.
DetectionDetails: Cookie Vulnerabilities Found __hssrc=1 Path = / Host = 0.0.0.0 Cookie does not have secure attribue in HTTPS Cookie does not have an HTTPOnly Attribute Cookie Change Observed on CLIENTside
We've migrated to the external merchant forms so we no longer need to worry about the PCI scan here, but I wanted to pass this along so Hubspot was aware. I'm not sure if the secure attribute can be set on the HS cookies, but might want to look into it. There were also other non-session cookies flagged in the scan to with other frameworks we used, so I don't know if its really a problem with them, or more of a problem with Trustwave's automated session cookie detection.
We found the following security issue from WANS scan report
Threat The cookie does not contain the "HTTPOnly" attribute. Impact Cookies without the "HTTPOnly" attribute are permitted to be accessed via JavaScript. Cross-site scripting attacks can steal cookies which could lead to user impersonation or compromise of the application account. Solution If the associated risk of a compromised account is high, apply the "HTTPOnly" attribute to cookies.
Detection Information Cookie Name(s) messagesUtk, __hssc, __hssrc, __hstc, hubspotutk
@dennisedson setting "Use secure cookies only" fix "secure" attribute for JSESSIONID cookie. But it doesn't fix HTTPOnly attribute. Is there a plan to fix this as well?
