在正在开发的网站上运行 Qualys 漏洞扫描时,我发现了以下漏洞:
Cookie Does Not Contain The "HTTPOnly" Attribute
Cookie Does Not Contain The "secure" Attribute
我的应用程序运行ExpressJS,NodeJS和nginxWeb服务器。我正在使用express-session和csurf令牌。我已经设置了HTTPOnly和secureflag true。配置如下:
app.use(bodyParser.json({limit: '50mb'}));
app.use(bodyParser.urlencoded({extended: false, limit: '50mb'}));
app.use(cookieParser());
app.use(express.static(path.join(__dirname, "/../public")));
app.enable("trust proxy");
app.use(expressSession({
store: new MongoStore({
url: `session_db`
}),
secret: `session_secret`,
resave: true,
saveUninitialized: true,
proxy: true,
rolling: true,
cookie: {
secure: true,
httpOnly: false,
maxAge: (72 * 60 * 60 * 1000)
},
unset: "destroy"
})); …