PCI Compliance Failure

joseph_costello
Member

Recently my website has started to fail PCI Compliance scans through Trustwave. Part of it is related to Hub Spot cookies.

 

DetectionDetails: Cookie Vulnerabilities Found __hssrc=1 Path = / Host = 0.0.0.0 Cookie does not have secure attribue in HTTPS Cookie does not have an HTTPOnly Attribute Cookie Change Observed on CLIENTside

 

 

We've migrated to the external merchant forms so we no longer need to worry about the PCI scan here, but I wanted to pass this along so Hubspot was aware. I'm not sure if the secure attribute can be set on the HS cookies, but might want to look into it. There were also other non-session cookies flagged in the scan to with other frameworks we used, so I don't know if its really a problem with them, or more of a problem with Trustwave's automated session cookie detection. 

4 Replies 4
dennisedson
Community Manager

@joseph_costello 

Thank you so much for flagging!  I Will get this to the team to check it out

Thanks,

Dennis



Check out our Community Developer Blog
where we feature our Community driven developer podcast and how to content
0 Upvotes
ABastardas
Member

@dennisedson 

Any developments on that front? We'd also need the cookies to be HttpOnly for security reasons.

0 Upvotes
dennisedson
Community Manager

@ABastardas , yep there has been development.  It is an alpha form and will be released as an in app feature.

I have a reminder set to check in on this later this month 😀 but please feel free to yell at me if I am not responsive.

Thanks,

Dennis



Check out our Community Developer Blog
where we feature our Community driven developer podcast and how to content
0 Upvotes
ABastardas
Member

Awesome, thanks for the quick response. Looking forward to that 🙂