Operator Console security scan reports Cookie with Insecure or Improper or Missing SameSite attribute

search cancel

Operator Console security scan reports Cookie with Insecure or Improper or Missing SameSite attribute

book

Article ID: 368403

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM)

Issue/Introduction

We received the following notification from a security scan/audit of the DX UIM Operator Console environment:

Cookie with Insecure or Improper or Missing SameSite attribute

What does this mean and how can we resolve it?

Environment

DX UIM 20.4 and higher

Cause

DX UIM Operator Console uses cookies which are shared with the CABI server to enable integration between Operator Console and CABI. To enable this integration, the cookie is created with the SameSite attribute set to 'Lax'.

Security scans will often flag cookies with the 'Lax' attribute if they are accessible via an insecure/unencrypted (HTTP) connection.

Resolution

Enabling HTTPS on the Operator Console and CABI will resolve this issue. Security scans generally will allow the 'Lax' attribute if the 'Secure' flag is also set (which means that the cookie was transmitted via HTTPS.)

Depending on the requirements of your organization, it may also be necessary to disable/block/redirect HTTP (port 80) at the same time.

Additional Information

Configure HTTPS for Admin Console or Operator Console

Understanding SSL implementation for wasp probe

Feedback

thumb_up Yes

thumb_down No