HTTPONLY

Hi @angpanday,

Really Simple SSL will add rules to the wp-config.php file to give cookies the HTTPOnly attribute. This will work for first party cookies set on your own domain (for example by plugins on your site). Cookies from third-party services cannot be altered by Really Simple SSL and therefore won’t automatically have the HTTPOnly attribute set. We recommend to enable Really Simple SSL to give local cookies the HTTPOnly attribute. If there are then any third-party cookies left without the HTTPOnly attribute, you can always contact the developer of those services and ask if they can set their cookies with the HTTPOnly attribute.

Thank you for the quick reply Mark. So if I go pro version, will that fix the problem? I don’t have any coding background. I’m just relying on plugins.

By the way, do you want me to post here the evidence to be more elaborate….

I have already enabled the basic plugin, but still get the same result.

Here is the evidence of the issue:

url: https://outbackworx.com.au/ Payload: N/A variants: 6 matched: sbjs_udata=vst%3D1%7C%7C%7Cuip%3D%2 8none%29%7C%7C%7Cuag%3DMozilla%2F5.0%20%2 8Macintosh%3B%20Intel%20Mac%20OS%20X%2010_1 4_5%29%20AppleWebKit%2F605.1.15%20%28KHTML %2C%20like%20Gecko%29%20Version%2F12.1.1%20S afari%2F605.1.15; path=/; domain=.outbackworx.com.au Cookies set via JavaScript do not have an associated H TTP response header. ; sbjs_current=typ%3Dtypein%7C%7C%7Csrc%3D%28d irect%29%7C%7C%7Cmdm%3D%28none%29%7C%7C %7Ccmp%3D%28none%29%7C%7C%7Ccnt%3D%28n one%29%7C%7C%7Ctrm%3D%28none%29%7C%7C% 7Cid%3D%28none%29%7C%7C%7Cplt%3D%28none% 29%7C%7C%7Cfmt%3D%28none%29%7C%7C%7Ctct %3D%28none%29; path=/; domain=.outbackworx.com.a u Cookies set via JavaScript do not have an associated H TTP response header. ; sbjs_current_add=fd%3D2024-08-27%2015%3A19%3A 30%7C%7C%7Cep%3Dhttps%3A%2F%2Foutbackworx. com.au%2F%7C%7C%7Crf%3D%28none%29; path=/; d omain=.outbackworx.com.au Cookies set via JavaScript do not have an associated H TTP response header. ; sbjs_first=typ%3Dtypein%7C%7C%7Csrc%3D%28direc t%29%7C%7C%7Cmdm%3D%28none%29%7C%7C%7 Ccmp%3D%28none%29%7C%7C%7Ccnt%3D%28none %29%7C%7C%7Ctrm%3D%28none%29%7C%7C%7Ci d%3D%28none%29%7C%7C%7Cplt%3D%28none%29 %7C%7C%7Cfmt%3D%28none%29%7C%7C%7Ctct%3 D%28none%29; path=/; domain=.outbackworx.com.au Cookies set via JavaScript do not have an associated H TTP response header

main=.outbackworx.com.au Cookies set via JavaScript do not have an associated H TTP response header. ; sbjs_migrations=1418474375998%3D1; path=/; domain =.outbackworx.com.au Cookies set via JavaScript do not have an associated H TTP response header. ; sbjs_session=pgs%3D1%7C%7C%7Ccpg%3Dhttps%3 A%2F%2Foutbackworx.com.au%2F; expires=Tue Aug 2 7 08:49:30 2024; path=/; domain=.outbackworx.com.au; max-age=373 Cookies set via JavaScript do not have an associated H TTP response header. url: https://outbackworx.com.au/product/roo-bottle-opener -and-pry/ Payload: N/A variants: 2 matched: woocommerce_items_in_cart= 302 Found Date: Tue, 27 Aug 2024 15:21:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Cache-Control: no-cache, must-revalidate, max-age=0 expires: Wed, 11 Jan 1984 05:00:00 GMT location: https://outbackworx.com.au/product/roo-bottle-o pener-and-pry/?product_added_to_cart=238&quantit y=1 set-cookie: woocommerce_items_in_cart=1; path=/ woocommerce_cart_hash=5992227348df71aa5b4143c38 e72915e; path=

idence Exceptions, False Positives, or Compensating Controls Noted by the ASV for this Vulnerability wp_woocommerce_session_eca4a8e84b21e0cf06c675c 02e854963=t_5401661741dc7729abe2ad3ed96a58%7C %7C1724944870%7C%7C1724941270%7C%7C843627 ef36fa667d7d5c65e81f62628b; expires=Thu, 29-Aug-202 4 15:21:10 GMT; Max-Age=172800; path=/; secure; Http Only x-cacheproxy-retries: 0/2 x-content-type-options: nosniff x-fawn-proc-count: 3,1,24 x-php-version: 8.0 x-redirect-by: WordPress x-xss-protection: 1; mode=block x-backend: varnish_ssl strict-transport-security: max-age=31536000; includeSub Domains CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8b9d0cbde8bf312e-LAX alt-svc: h3=”:443″; ma=86400

Hi @angpanday,

Really Simple SSL will only set the HTTPOnly cookies for cookies from your own plugins/theme, not for third-party cookies as we cannot alter those. The HTTPOnly attribute can also not be set for cookies set using Javascript.

Hi

I have the same problem, Trying to get wordpress through a PCI security scan to become payment standards compliant

Cookies set via JavaScript do not have an associated HTTP response header.

errors shown sbjs_udata, sbjs_current, sbjs_current_add, sbjs_first, sbjs_first_add, sbjs_migrations, sbjs_session

I have come across a different thread that shows this

WooCommerce > Settings > Advanced > Features > Order Attribution. untick the box and clear the cache

not sure if it helps, until i run a scan. I can’t see if its properly fixed

Its all good now. I really appreciate all your help. Cheers!