The client security team observed that HttpOnly and Secure Flags are missing for “s_cc” and mbox cookies, and this could lead to various attacks.
Secureflag for cookies will allow the cookies only through the secure channel while the
HttpOnly flag will protect the cookie from client-side scripting, failure to set those flags will make the cookies vulnerable to attacks. Also, as the Mbox cookie is persistent, it shows cookie information even after closing the browser. Using this data, an attacker could do malicious activities.
Is it possible to set
HttpOnly flags to s_cc and mbox cookies?
HttpOnly flags cannot be set on these cookies as they would break the cookies’ functionality.
One option that is recommended to mitigate any concerns around the ‘Secure’ flag not being set is to use first-party SSL on Data Collection and to support the HSTS header on your domain, so all traffic is ensured to be over HTTPS, including these cookies.