Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-77627

atlassian.xsrf.token cookie has no HttpOnly flag

XMLWordPrintable

    • 0
    • We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      Problem

      Currently the atlassian.xsrf.token cookie is not utilizing the HttpOnly flag.

      The JSESSIONID cookie appropriately uses the HttpOnly flag, while atlassian.xsrf.token does not. 

      The Secure flag for the atlassian.xsrf.token cookie was previously introduced through https://jira.atlassian.com/browse/JRASERVER-40949, but the HttpOnly flag was not included at the same time.

      Suggested Solution

      Implement the HttpOnly flag on atlassian.xsrf.token cookie in order to enhance security and align with best practices.

      Why This Is Important

      This discrepancy could pose a medium security risk, as all session cookies are expected to implement the HttpOnly flag according to best security practices.

      Workaround

      n/a

              Unassigned Unassigned
              bbbda0e60be6 Mark van Leeuwen (Inactive)
              Votes:
              14 Vote for this issue
              Watchers:
              13 Start watching this issue

                Created:
                Updated: