Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-77627

atlassian.xsrf.token cookie has no HttpOnly flag

    XMLWordPrintable

Details

    • 1
    • We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

    Description

      Problem

      Currently the atlassian.xsrf.token cookie is not utilizing the HttpOnly flag.

      The JSESSIONID cookie appropriately uses the HttpOnly flag, while atlassian.xsrf.token does not. 

      The Secure flag for the atlassian.xsrf.token cookie was previously introduced through https://jira.atlassian.com/browse/JRASERVER-40949, but the HttpOnly flag was not included at the same time.

      Suggested Solution

      Implement the HttpOnly flag on atlassian.xsrf.token cookie in order to enhance security and align with best practices.

      Why This Is Important

      This discrepancy could pose a medium security risk, as all session cookies are expected to implement the HttpOnly flag according to best security practices.

      Workaround

      n/a

      Attachments

        Activity

          People

            Unassigned Unassigned
            bbbda0e60be6 Mark van Leeuwen
            Votes:
            11 Vote for this issue
            Watchers:
            12 Start watching this issue

            Dates

              Created:
              Updated: