Security Concern - HttpOnly Attribute missing for Tadabase Cookies

Ideas & Product Feedback
1

We are using a Tadabase-hosted webpage, and during a security review, we noticed that session cookies are missing the HttpOnly attribute. This was flagged as a potential security issue, as it could allow client-side JavaScript access to the cookie.

Is there a way to enable the HttpOnly flag for Tadabase session cookies? If not, is this something that could be addressed in a future update?

2

Hi @kriststen, just checking in to see if you had any feedback on the security issue I submitted. I created a ticket but haven’t heard back regarding the issue itself, so I wanted to make sure it’s on the development team’s radar. Adding the HttpOnly attribute should be a straightforward fix.

Thank you,

David

1 Like
3

Hi everyone,

I’ve reached out to Tadabase support multiple times regarding a security-related issue but haven’t received any response. I’m hoping someone in the community might be able to help or has dealt with something similar.

Our security scanner continues to flag that the XSRF-TOKEN cookie is missing the HttpOnly attribute. I’ve checked the logs and confirmed this is still the case. Interestingly, another Tadabase cookie does include the HttpOnly flag, so it appears to be selectively applied.

Has anyone successfully contacted Tadabase support recently? Do they assist with issues like this? Any tips for getting a response or resolving this would be much appreciated.

Thanks in advance!

4

About the XSRF-TOKEN Cookie and Security Scanners

You might notice that our app sets a cookie called XSRF-TOKEN without the HttpOnly flag, and some security tools may flag this as a concern. But in this case, it’s completely intentional and not a security risk.

Here’s why:

  • The CSRF token is not a secret. It can’t be used to log in or do anything sensitive on its own.
  • The token needs to be readable by the browser’s JavaScript. That’s how forms and buttons work securely in the background (AJAX).
  • If a hacker could already run scripts in your browser (via XSS), they could do damage with or without this token.

If we set this cookie as HttpOnly, it would break how the app works, so it’s actually safer not to set that flag in this case.

No changes are needed here, and everything is working as designed.

Let us know if you have any other questions!

6

Apologies for not responding sooner but I think you misspelled my name so I did not get a tag.

I see Moe has already commented on this, hope that answers your question!

As a general rule I’d recommend always emailing Support at support@tadabase.io for specific issues.

7

Hello @Kristen, thank you for your response, and my apologies for misspelling your name. I really appreciate your help and Moe’s detailed reply. I’ve had limited and inconsistent success getting support through support@tadabase.io, the chat, or the community, so I’d be happy to discuss further offline if that’s an option.

I do wish Tadabase offered some kind of maintenance plan… like when you buy a bicycle. I’d gladly invest in something like that if it meant I could count on timely responses to support inquiries.