Title: HTTPONLY Last modified: August 28, 2024 --- # HTTPONLY * Resolved [angpanday](https://wordpress.org/support/users/angpanday/) * (@angpanday) * [1 year, 9 months ago](https://wordpress.org/support/topic/httponly/) * I urgently need a to have this issue fixed. Will this plugin be able to fix the problem? * 150123 – Cookie Does Not Contain The “HTTPOnly” Attribute M * The page I need help with: _[[log in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Fhttponly%2F%3Foutput_format%3Dmd&locale=en_US) to see the link]_ Viewing 8 replies - 1 through 8 (of 8 total) * Plugin Author [Mark](https://wordpress.org/support/users/markwolters/) * (@markwolters) * [1 year, 9 months ago](https://wordpress.org/support/topic/httponly/#post-17979613) * Hi [@angpanday](https://wordpress.org/support/users/angpanday/), * Really Simple SSL will add rules to the wp-config.php file to give cookies the HTTPOnly attribute. This will work for first party cookies set on your own domain( for example by plugins on your site). Cookies from third-party services cannot be altered by Really Simple SSL and therefore won’t automatically have the HTTPOnly attribute set. We recommend to enable Really Simple SSL to give local cookies the HTTPOnly attribute. If there are then any third-party cookies left without the HTTPOnly attribute, you can always contact the developer of those services and ask if they can set their cookies with the HTTPOnly attribute. * Thread Starter [angpanday](https://wordpress.org/support/users/angpanday/) * (@angpanday) * [1 year, 9 months ago](https://wordpress.org/support/topic/httponly/#post-17979644) * Thank you for the quick reply Mark. So if I go pro version, will that fix the problem? I don’t have any coding background. I’m just relying on plugins. * By the way, do you want me to post here the evidence to be more elaborate…. * Thread Starter [angpanday](https://wordpress.org/support/users/angpanday/) * (@angpanday) * [1 year, 9 months ago](https://wordpress.org/support/topic/httponly/#post-17979648) * I have already enabled the basic plugin, but still get the same result. * Thread Starter [angpanday](https://wordpress.org/support/users/angpanday/) * (@angpanday) * [1 year, 9 months ago](https://wordpress.org/support/topic/httponly/#post-17979651) * Here is the evidence of the issue: * url: [https://outbackworx.com.au/](https://outbackworx.com.au/) Payload: N/A variants: 6 matched: sbjs_udata=vst%3D1%7C%7C%7Cuip%3D%2 8none%29%7C%7C%7Cuag% 3DMozilla%2F5.0%20%2 8Macintosh%3B%20Intel%20Mac%20OS%20X%2010_1 4_5%29%20AppleWebKit% 2F605.1.15%20%28KHTML %2C%20like%20Gecko%29%20Version%2F12.1.1%20S afari%2F605.1.15; path=/; domain=.outbackworx.com.au Cookies set via JavaScript do not have an associated H TTP response header. ; sbjs_current=typ%3Dtypein%7C%7C%7Csrc%3D% 28d irect%29%7C%7C%7Cmdm%3D%28none%29%7C%7C %7Ccmp%3D%28none%29%7C%7C%7Ccnt%3D% 28n one%29%7C%7C%7Ctrm%3D%28none%29%7C%7C% 7Cid%3D%28none%29%7C%7C%7Cplt%3D%28none% 29%7C%7C%7Cfmt%3D%28none%29%7C%7C%7Ctct %3D%28none%29; path=/; domain=.outbackworx. com.a u Cookies set via JavaScript do not have an associated H TTP response header.; sbjs_current_add=fd%3D2024-08-27%2015%3A19%3A 30%7C%7C%7Cep%3Dhttps%3A%2F%2Foutbackworx. com.au%2F%7C%7C%7Crf%3D%28none%29; path=/; d omain=.outbackworx.com.au Cookies set via JavaScript do not have an associated H TTP response header. ; sbjs_first =typ%3Dtypein%7C%7C%7Csrc%3D%28direc t%29%7C%7C%7Cmdm%3D%28none%29%7C%7C%7 Ccmp% 3D%28none%29%7C%7C%7Ccnt%3D%28none %29%7C%7C%7Ctrm%3D%28none%29%7C%7C%7Ci d%3D% 28none%29%7C%7C%7Cplt%3D%28none%29 %7C%7C%7Cfmt%3D%28none%29%7C%7C%7Ctct%3 D% 28none%29; path=/; domain=.outbackworx.com.au Cookies set via JavaScript do not have an associated H TTP response header * main=.outbackworx.com.au Cookies set via JavaScript do not have an associated H TTP response header. ; sbjs_migrations=1418474375998%3D1; path=/; domain =. outbackworx.com.au Cookies set via JavaScript do not have an associated H TTP response header. ; sbjs_session=pgs%3D1%7C%7C%7Ccpg%3Dhttps%3 A%2F%2Foutbackworx. com.au%2F; expires=Tue Aug 2 7 08:49:30 2024; path=/; domain=.outbackworx.com. au; max-age=373 Cookies set via JavaScript do not have an associated H TTP response header. url: [https://outbackworx.com.au/product/roo-bottle-opener](https://outbackworx.com.au/product/roo-bottle-opener)- and-pry/ Payload: N/A variants: 2 matched: woocommerce_items_in_cart= 302 Found Date: Tue, 27 Aug 2024 15:21:10 GMT Content-Type: text/html; charset=UTF-8 Transfer- Encoding: chunked Connection: keep-alive Cache-Control: no-cache, must-revalidate, max-age=0 expires: Wed, 11 Jan 1984 05:00:00 GMT location: [https://outbackworx.com.au/product/roo-bottle-o](https://outbackworx.com.au/product/roo-bottle-o) pener-and-pry/?product_added_to_cart=238&quantit y=1 set-cookie: woocommerce_items_in_cart =1; path=/ woocommerce_cart_hash=5992227348df71aa5b4143c38 e72915e; path= * idence Exceptions, False Positives, or Compensating Controls Noted by the ASV for this Vulnerability wp_woocommerce_session_eca4a8e84b21e0cf06c675c 02e854963 =t_5401661741dc7729abe2ad3ed96a58%7C %7C1724944870%7C%7C1724941270%7C%7C843627 ef36fa667d7d5c65e81f62628b; expires=Thu, 29-Aug-202 4 15:21:10 GMT; Max-Age=172800; path=/; secure; Http Only x-cacheproxy-retries: 0/2 x-content-type-options: nosniff x-fawn-proc-count: 3,1,24 x-php-version: 8.0 x-redirect-by: WordPress x-xss-protection: 1; mode=block x-backend: varnish_ssl strict-transport-security: max-age=31536000; includeSub Domains CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8b9d0cbde8bf312e- LAX alt-svc: h3=”:443″; ma=86400 * Plugin Author [Mark](https://wordpress.org/support/users/markwolters/) * (@markwolters) * [1 year, 9 months ago](https://wordpress.org/support/topic/httponly/#post-17984510) * Hi [@angpanday](https://wordpress.org/support/users/angpanday/), * Really Simple SSL will only set the HTTPOnly cookies for cookies from your own plugins/theme, not for third-party cookies as we cannot alter those. The HTTPOnly attribute can also not be set for cookies set using Javascript. * [ronnieb](https://wordpress.org/support/users/ronnieburn/) * (@ronnieburn) * [1 year, 9 months ago](https://wordpress.org/support/topic/httponly/#post-17985969) * Hi * I have the same problem, Trying to get wordpress through a PCI security scan to become payment standards compliant * Cookies set via JavaScript do not have an associated HTTP response header. * errors shown sbjs_udata, sbjs_current, sbjs_current_add, sbjs_first, sbjs_first_add, sbjs_migrations, sbjs_session * [ronnieb](https://wordpress.org/support/users/ronnieburn/) * (@ronnieburn) * [1 year, 9 months ago](https://wordpress.org/support/topic/httponly/#post-17986021) * I have come across a different thread that shows this * **WooCommerce > Settings > Advanced > Features > Order Attribution**. untick the box and clear the cache * not sure if it helps, until i run a scan. I can’t see if its properly fixed * Thread Starter [angpanday](https://wordpress.org/support/users/angpanday/) * (@angpanday) * [1 year, 9 months ago](https://wordpress.org/support/topic/httponly/#post-17986363) * Its all good now. I really appreciate all your help. Cheers! Viewing 8 replies - 1 through 8 (of 8 total) The topic ‘HTTPONLY’ is closed to new replies. * ![](https://ps.w.org/really-simple-ssl/assets/icon-256x256.png?rev=2839720) * [Really Simple Security - Simple and Performant Security (formerly Really Simple SSL)](https://wordpress.org/plugins/really-simple-ssl/) * [Frequently Asked Questions](https://wordpress.org/plugins/really-simple-ssl/#faq) * [Support Threads](https://wordpress.org/support/plugin/really-simple-ssl/) * [Active Topics](https://wordpress.org/support/plugin/really-simple-ssl/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/really-simple-ssl/unresolved/) * [Reviews](https://wordpress.org/support/plugin/really-simple-ssl/reviews/) * 9 replies * 3 participants * Last reply from: [angpanday](https://wordpress.org/support/users/angpanday/) * Last activity: [1 year, 9 months ago](https://wordpress.org/support/topic/httponly/#post-17986363) * Status: resolved