Did a quick penetration test over https://pentest-tools.com/website-vulnerability-scanning/web-server-scanner?run for my locally hosted nextcloud server and recieved as medium-secure server result due secure cookies were not enabled )risk description bottom). Are there any plans to implement secure cookies or we need to that at web server level ?
Risk description:
Since the Secure flag is not set on the cookie, the browser will send it over an unencrypted channel (plain HTTP) if such a request is made. Thus, the risk exists that an attacker will intercept the clear-text communication between the browser and the server and he will steal the cookie of the user. If this is a session cookie, the attacker could gain unauthorized access to the victim’s web session.
Recommendation:
We recommend reconfiguring the web server in order to set the flag(s) Secure to all sensitive cookies.
Openvas also complains about that and gives a “medium” warning:
Summary
The host is running a server with SSL/TLS and is prone to information disclosure vulnerability.
Vulnerability Detection Result
The cookies:
Set-Cookie: 45342agfd4=replaced; path=/; HttpOnly
are missing the “secure” attribute.
Solution
Solution type: Mitigation Mitigation
Set the ‘secure’ attribute for any cookies that are sent over a SSL/TLS connection.
Affected Software/OS
Server with SSL/TLS.
Vulnerability Insight
The flaw is due to cookie is not using ‘secure’ attribute, which allows cookie to be passed to the server by the client over non-secure channels (http) and allows attacker to conduct session hijacking attacks.