Hi,
during an internal VA our security team open a vulnerability issue about that.
Reading also OWASP docs seems suggested but not mandatory for this kind of token secure attribute, so anyone knows anything about that, could be a false positive(??) and or how to enable secure flag for this cookie/token
Report Vuln ID
Title: Session Cookie (Authentication Related) Does Not Contain The “secure” Attribute
Severity: Medium
CVSS Score: 6.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:F/RL:W/RC:C
Root Cause: Not Available
Risk Area: Amber
Results: NX-ANTI-CSRF-TOKEN=0.7479063872718273; path=/; domain=
Cookies set via JavaScript do not have an associated HTTP response header.
Evidence: -
Threat: -
Remediation notes
If the associated risk of a compromised account is high, apply the “secure” attribute to session cookies and force all sensitive requests to be sent via HTTPS
Thanks