Self Service Summary
Security Team is reporting "missing httpOnly flag for dtCookie" or "Dynatrace cookies are vulnerable because httpOnly attribute is not set".
| Issue |
Solution |
Tasks |
Alternative(s) |
| httpOnly flag not set on dtCoockie |
Explain why httpOnly is not supported - see below. |
Check below information and explain it to your Security Team |
Dynatrace supports the Secure cookie attribute - see below.
Submit a Support ticket if you have additional questions or concerns.
|
RUM correlation requires the dtCookie and dtPC cookies to be on web requests in order to link them to user actions. However, because dtCookie is part of the beacon and because the RUM JavaScript sets and modifies these cookies, they don't support the HttpOnly flag. HttpOnly cookies are inaccessible to JavaScript, so the RUM JavaScript cannot set and modify such cookies. See Cookies for complete details.
You can add the Secure cookie attribute to all Dynatrace cookies to ensure that browsers send these cookies only over secure connections. Before enabling the Secure cookie attribute, make sure that your application is completely served over secure connections. See Secure cookies for more information.
