Client security team observed that HttpOnly and Secure Flags are missing for “s_cc” and mbox cookies and this could lead to various attacks.
As Secureflag for cookie will allow the cookies only through secure channel while HttpOnly flag will protect the cookie from client side scripting, failure to set those flags will make the cookies vulnerable to attacks. Also, as Mbox cookie is persistent, even after closing the browser it shows cookie information, using this data an attacker could do malicious activities.
Is it possible to set Secureflag and HttpOnly flags to s_cc and mbox cookies?
We cannot set the ‘Secure’ and ‘HttpOnly’ flags on these cookies as it would break their functionality.
One option we recommend to mitigate any concerns around ‘Secure’ flag not being set, is to use first-party SSL on Data Collection and to support the HSTS header on your domain, so all traffic is ensured to be over https, including these cookies.