Security issue - insecure HTTP cookies

SOLVE
Highlighted
Occasional Contributor

Our security officer reached out to me and pointed that he performed a check of our website hosted on Hubspot CMS and noticed 1 thing that needs to be fixed: one of the cookies set by Hubspot does not have a "Secure" flag. (here is the screenshot of that issue - http://prntscr.com/nnucf1) I was wondering, if that is something that can be set/fixed by the development team?

I understand this issue is not of a high risk, and that having an SSL enabled on our website would cover the security issue of this lacking flag, but still that might be something we would like to have fixed.

Reply
0 Upvotes
1 Accepted solution

Accepted Solutions
Community Manager

Hi @Ismet,

 

The _cfruid and _cfduid cookies are owned by Cloudflare, our web application firewall. Unfortunately we have no control over their implementation. This cookie has no security impact on the site itself and is only used by CloudFlare for whitelisting specific users from security restrictions, the cookie does not contain user or authentication information. I wanted to share this CloudFlare documentation which describes the use of this cookie. 

 

Thank you,
Jenny


Did my post help answer your query? Help the Community by marking it as a solution
Reply
0 Upvotes
1 Reply 1
Community Manager

Hi @Ismet,

 

The _cfruid and _cfduid cookies are owned by Cloudflare, our web application firewall. Unfortunately we have no control over their implementation. This cookie has no security impact on the site itself and is only used by CloudFlare for whitelisting specific users from security restrictions, the cookie does not contain user or authentication information. I wanted to share this CloudFlare documentation which describes the use of this cookie. 

 

Thank you,
Jenny


Did my post help answer your query? Help the Community by marking it as a solution
Reply
0 Upvotes