AXA BrowserAgent - httponly and secure attributed for DXAXA cookies flag in vulnerability scan
Article ID: 267190
Updated On:
Products
CA Application Experience Analytics SaaS (AXA)
CA App Experience Analytics
DX APM SaaS
DX Application Performance Management
Issue/Introduction
The "Browser Agent" connection is using cookies that is flagged as unsecure.
- x-apm-ba-BAFinPrt
- x-apm-brtm-bt-pv
- x-apm-brtm-bt-p
These cookies are documented in https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/ca-experience-collector/2-4/browser-agent/implement-the-browser-agent/configure-the-browser-agent-response-decoration.html
These cookies are not secure and do not specify HTTPOnly. The Agent is configured to request snippet from the DXC gateway then DX SaaS sends the snippet and Browser communicates with DXS. We are not using internal DXC.
Is there a way to change the cookies so use HTTPS instead?
Environment
DX AXA SAAS
DX AXA on-premise 2x
Resolution
The cookies can be disabled if they cause vulnerabilities. The related impacts are addressed. The Allow Cookies checkbox in AXA app needs to be unchecked if the cookies need to be disabled. Below is the screenshot for reference.
Feedback
Yes
No
Powered by
