Unfortunately Mendix does not support de “HTTP Only flag”. This allows Mendix cookies to be accessed by other, non-Mendix, sessions, as stated by OWASP: “If a browser [sic: or server] does not support HttpOnly and a website attempts to set an HttpOnly cookie, the HttpOnly flag will be ignored by the browser, thus creating a traditional, script accessible cookie. As a result, the cookie (typically your session cookie) becomes vulnerable to theft of modification by malicious script.” Source: https://owasp.org/www-community/HttpOnly . We would very much like to be able to set the HTTP Only flag and because this is a security-concern, we would like to ask to to enable customers to set the HTTP Only flag in their Mendix-based applications. Please let us know at what timeframe this feature will become available. Thank you for your tie and consideration. Kind regards,
I would like to second this suggestion. One of our applications (On Studio Pro 8.17) had this flagged in a penetration test, with the following reasoning provided:
An XSS vulnerability would allow an attacker to execute their own client-side code in other users’ browsers to read the document.cookie property and send it back to the attacker, allowing them to impersonate the targeted user.