Applies to Product - Power Pages
What’s happening?
The customer reported that certain cookies on their Power Pages site, specifically "ai_session" and "isDSTObserved," do not have the HttpOnly attribute set, which raises concerns about potential security risks such as script attacks and information theft.
Reason:
The absence of the HttpOnly attribute on the specified cookies is due to the current configuration of the Power Pages site, which does not consider these cookies as vulnerabilities.
Resolution:
- Addition of the HttpOnly attribute to the cookies "ai_session" and "isDSTObserved" is not possible under the current settings.
- Security risk from script attacks is considered low for these cookies, which is why the HttpOnly flag is not applied.
- Continue operating with the current configuration as the risk is deemed acceptable.
