PCI compliance and cookie security

  • Resolved murrayelliot2

    (@murrayelliot2)


    1 month, 3 weeks ago

    I’m running security scans across my site as required for PCI compliance checks and am getting a fail, details below.

    Has anyone else come across this and been able to overcome it, or is it an inherent weakness?

    Error: Insecure configuration of Cookie attributes

    Solution: It is important to set Secure and HTTPOnly flags for all the cookies on the application. The Secure flag prevents cookies from being transmitted over clear text. An HTTPOnly flag would limit cookie access in cases of Cross-Site Scripting issues.
    Proper Caching headers should be set for responses carrying the cookie.
    Cookies set on the client side should also contain Secure and HTTPOnly tags.

    Ensure that any web applications running on this host is configured following industry security best practices.”

    DetectionDetails: Cookie Vulnerabilities Found
    woocommerce_cart_hash = <hash code>
    Path = /
    Host = <host>
    Cookie does not have secure attribue in HTTPS
    Cookie does not have an HTTPOnly Attribute
    Cookie Change Observed on CLIENTside

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Support shahzeen(woo-hc)

    (@shahzeenfarooq)

    1 month, 3 weeks ago

    Hi there,

    Thanks for sharing the details I understand why this would raise concerns during PCI compliance checks.

    This behavior is expected and not specific to a security flaw in WooCommerce itself.

    The woocommerce_cart_hash cookie is used to detect changes in the cart and is intentionally accessible on the client side. Because of this, it is not set with the HttpOnly flag, and in some environments it may also be flagged as missing the Secure attribute by automated scanners.

    A few important points to clarify:

    • WooCommerce does not control cookie headers at the server level. Attributes like Secure, HttpOnly, and caching headers are ultimately handled by:
      • Your web server configuration (Apache/Nginx)
      • PHP session handling
      • CDN / proxy layers (e.g. Cloudflare)
    • Some cookies (including cart-related cookies) are expected to change client-side and may be reported by scanners even though they are functioning as designed.
    • Automated PCI scanners often produce false positives, especially around application cookies that are not authentication-related.

    What you can do next

    To address PCI scan requirements, you’ll want to:

    • Confirm that your site is fully served over HTTPS
    • Review server- or host-level cookie policies
    • Consult your hosting provider or security team to determine whether cookie attributes can or should be modified globally without breaking application functionality

    Because this involves server-level security configuration and PCI interpretation, it falls outside the scope of WooCommerce core support, but your host should be able to help you align the environment with PCI expectations.

    Thank you for your cooperation and understanding.

    Plugin Support Kay U a11n

    (@kingsleyinfo)

    1 month, 2 weeks ago

    Since there’s been no recent activity on this thread, I’m marking it as resolved. Don’t hesitate to start a new thread if you need help in the future.

Viewing 2 replies - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.