Check that all Matomo cookies are set with the secure flag #15681
Labels
Bug
For errors / faults / flaws / inconsistencies etc.
c: Security
For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Milestone
Found out _pk_ref-cookie is not secure, despite setSecureCookies is set. All the other _pk-cookies however are.
A quick look into the javascript code the check for a secure cookie is missing on some other cookies, e. g. CustomDimension, too.
Maybe the check if a cookie needs the secure flag can be moved to the setCookie-function instead of doing it individually for every single cookie.
The text was updated successfully, but these errors were encountered: