A client arranged penetration testing in order to achieve PCI compliance and it was found that not all cookies contained the HttpOnly flag, which is an automatic fail because apparently you are more vulnerable to XSS attacks if you don’t set your cookies to use HttpOnly.
This problem turned out to be caused by the HAProxy load balancer not adding HttpOnly to its persistence (sticky session) cookies, so I checked the HAProxy manual and did some googling, but I couldn’t find any way of making HAProxy’s persistence cookies add the HttpOnly flag.
Continue reading “HttpOnly flag for persistence cookies in HAProxy”