Article - CS382991
Setting the SameSite attribute on the Set-Cookie HTTP response header within responses generated by ThingWorx Platform
Modified: 19-Dec-2022
Applies To
- ThingWorx Platform 8.5 to 9.3
Description
- How to set the SameSite attribute of the Set-Cookie response header generated by ThingWorx Platform?
- How to configure Apache Tomcat to set the sameSiteCookie attribute?
- Need to support ThingWorx Platform in a cross-domain environment
- Given this requirement the SameSite cookie attribute needs to be set to none
- Performed a vulnerability scan of ThingWorx Platform and found that sensitive information is being shared via cookies without the SameSite attribute being set to strict
- ThingWorx Platform should have the SameSite attribute for Cookies set to strict
- Vulnerability scan showed sensitive cookie with improper same-site attribute on ThingWorx Platform
- Security Team has identified a possible vulnerability with ThingWorx Platform regarding the default setting of the sameSiteCookie attribute in the Cookie Processor of Apache Tomcat
- Scanned ThingWorx Platform and found the following vulnerability
- Cookie with Insecure or Improper or Missing SameSite attribute
This is a printer-friendly version of Article 382991 and may be out of date. For the latest version click CS382991