AXA BrowserAgent - httponly and secure attributed for DXAXA cookies flag in vulnerability scan
search cancel

AXA BrowserAgent - httponly and secure attributed for DXAXA cookies flag in vulnerability scan

book

Article ID: 267190

calendar_today

Updated On:

Products

CA Application Experience Analytics SaaS (AXA) CA App Experience Analytics DX APM SaaS DX Application Performance Management

Issue/Introduction

The "Browser Agent" connection is using cookies that is flagged as unsecure.

  • x-apm-ba-BAFinPrt
  • x-apm-brtm-bt-pv
  • x-apm-brtm-bt-p

These cookies are documented in https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/ca-experience-collector/2-4/browser-agent/implement-the-browser-agent/configure-the-browser-agent-response-decoration.html

These cookies are not secure and do not specify HTTPOnly. The Agent is configured to request snippet from the DXC gateway then DX SaaS sends the snippet and Browser communicates with DXS.  We are not using internal DXC. 

Is there a way to change the cookies so use HTTPS instead?

 

Environment

DX AXA SAAS 

DX AXA on-premise 2x

Resolution

The cookies can be disabled if they cause vulnerabilities. The related impacts are addressed. The Allow Cookies checkbox in AXA app needs to be unchecked if the cookies need to be disabled. Below is the screenshot for reference.