I used OKTA login for my Angular Application. When we sent the application for penetration testing following issue was raised.
Cookies were identified without the HTTPOnly flag set, potentially allowing the cookies to be accessed by client-side scripts.
The following cookies were set without the HTTPOnly flag:
ADRUM_BT1 ADRUM_BTa DT JSESSIONID proximity_14b727894adaba3d6f9e90c4fa86cf430 proximity_2ac00f0ba5abcfa18b09c643586c3d4bc proximity_940ber3ce534851dba7d7aaeedb3e959 t
HTTPOnly header is set on all HTTP cookies. It should be noted that there may be legitimate client-site scripts within the application that read or write the cookie’s value. If this is the case, then it may not be possible to enable this flag.
Session cookies found without the Secure cookie flag set
The following cookies were set without the secure flag:
ADRUM_BTX ADRUM_BTY JSESSIONID t
Reviewing all application cookies and setting the Secure attribute on all.
PS: All these cookies are generated by OKTA library can you please fix this.