Cookies must have http-only flag set.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-222933 | TCAT-AS-000080 | SV-222933r960792_rule | Medium |
| Description |
| STIG | Date |
| Apache Tomcat Application Server 9 Security Technical Implementation Guide | 2025-02-11 |
Details
| Check Text (C-24605r426243_chk) |
| From the Tomcat server console, run the following command: sudo grep -i -B10 -A1 \/cookie-config $CATALINA_BASE/conf/web.xml If the command returns no results or if the <http-only> element is not set to true, this is a finding. EXAMPLE: <session-config> <session-timeout>15</session-timeout> <cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config> </session-config> |
| Fix Text (F-24594r426244_fix) |
| From the Tomcat server console as a privileged user: edit the $CATALINA_BASE/conf/web.xml If the cookie-config section does not exist it must be added. Add or modify the <http-only> setting and set to true. EXAMPLE: <session-config> <session-timeout>15</session-timeout> <cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config> </session-config> |