STIGhubSTIGhub
STIGsSearchCompareAbout

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • VPAT
  • DISA STIG Library
STIGs updated 2 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Web Server Security Requirements Guide

V-206437

CAT II (Medium)

Cookies exchanged between the web server and the client, such as session cookies, must have cookie properties set to prohibit client-side scripts from reading the cookie data.

Rule ID

SV-206437r961632_rule

STIG

Web Server Security Requirements Guide

Version

V4R4

CCIs

CCI-002418

Discussion

A cookie can be read by client-side scripts easily if cookie properties are not set properly. By allowing cookies to be read by the client-side scripts, information such as session identifiers could be compromised and used by an attacker who intercepts the cookie. Setting cookie properties (i.e. HttpOnly property) to disallow client-side scripts from reading cookies better protects the information inside the cookie.

Check Content

Review the web server documentation and deployed configuration to determine how to disable client-side scripts from reading cookies.

If the web server is not configured to disallow client-side scripts from reading cookies, this is a finding.

Fix Text

Configure the web server to disallow client-side scripts the capability of reading cookie information.