We are using a Tadabase-hosted webpage, and during a security review, we noticed that session cookies are missing the HttpOnly attribute. This was flagged as a potential security issue, as it could allow client-side JavaScript access to the cookie.
Is there a way to enable the HttpOnly flag for Tadabase session cookies? If not, is this something that could be addressed in a future update?
Hi @kriststen, just checking in to see if you had any feedback on the security issue I submitted. I created a ticket but haven’t heard back regarding the issue itself, so I wanted to make sure it’s on the development team’s radar. Adding the HttpOnly attribute should be a straightforward fix.
Thank you,
David
Hi everyone,
I’ve reached out to Tadabase support multiple times regarding a security-related issue but haven’t received any response. I’m hoping someone in the community might be able to help or has dealt with something similar.
Our security scanner continues to flag that the XSRF-TOKEN cookie is missing the HttpOnly attribute. I’ve checked the logs and confirmed this is still the case. Interestingly, another Tadabase cookie does include the HttpOnly flag, so it appears to be selectively applied.
Has anyone successfully contacted Tadabase support recently? Do they assist with issues like this? Any tips for getting a response or resolving this would be much appreciated.
Thanks in advance!