-
Suggestion
-
Resolution: Unresolved
-
None
-
0
-
Problem
Currently the atlassian.xsrf.token cookie is not utilizing the HttpOnly flag.
The JSESSIONID cookie appropriately uses the HttpOnly flag, while atlassian.xsrf.token does not.
The Secure flag for the atlassian.xsrf.token cookie was previously introduced through https://jira.atlassian.com/browse/JRASERVER-40949, but the HttpOnly flag was not included at the same time.
Suggested Solution
Implement the HttpOnly flag on atlassian.xsrf.token cookie in order to enhance security and align with best practices.
Why This Is Important
This discrepancy could pose a medium security risk, as all session cookies are expected to implement the HttpOnly flag according to best security practices.
Workaround
n/a