Title: PCI compliance and cookie security
Last modified: February 22, 2026

---

# PCI compliance and cookie security

 *  Resolved [murrayelliot2](https://wordpress.org/support/users/murrayelliot2/)
 * (@murrayelliot2)
 * [2 months ago](https://wordpress.org/support/topic/pci-compliance-and-cookie-security/)
 * I’m running security scans across my site as required for PCI compliance checks
   and am getting a fail, details below.
 * Has anyone else come across this and been able to overcome it, or is it an inherent
   weakness?
 * _Error: Insecure configuration of Cookie attributes_
 * _Solution: It is important to set Secure and HTTPOnly flags for all the cookies
   on the application. The Secure flag prevents cookies from being transmitted over
   clear text. An HTTPOnly flag would limit cookie access in cases of Cross-Site
   Scripting issues._
   _Proper Caching headers should be set for responses carrying
   the cookie.__Cookies set on the client side should also contain Secure and HTTPOnly
   tags.__Ensure that any web applications running on this host is configured following
   industry security best practices.”_
 * _DetectionDetails: Cookie Vulnerabilities Found_
   _woocommerce\_cart\_hash = <
   hash code>__Path = /__Host = <host>__Cookie does not have secure attribue in 
   HTTPS__Cookie does not have an HTTPOnly Attribute__Cookie Change Observed on 
   CLIENTside_

Viewing 2 replies - 1 through 2 (of 2 total)

 *  Plugin Support [shahzeen(woo-hc)](https://wordpress.org/support/users/shahzeenfarooq/)
 * (@shahzeenfarooq)
 * [2 months ago](https://wordpress.org/support/topic/pci-compliance-and-cookie-security/#post-18829962)
 * Hi there,
 * Thanks for sharing the details I understand why this would raise concerns during
   PCI compliance checks.
 * This behavior is **expected** and not specific to a security flaw in WooCommerce
   itself.
 * The `woocommerce_cart_hash` cookie is used to detect changes in the cart and 
   is intentionally accessible on the client side. Because of this, it is **not 
   set with the `HttpOnly` flag**, and in some environments it may also be flagged
   as missing the `Secure` attribute by automated scanners.
 * A few important points to clarify:
    - **WooCommerce does not control cookie headers at the server level**. Attributes
      like `Secure`, `HttpOnly`, and caching headers are ultimately handled by:
       * Your web server configuration (Apache/Nginx)
       * PHP session handling
       * CDN / proxy layers (e.g. Cloudflare)
    - Some cookies (including cart-related cookies) are expected to change client-
      side and may be reported by scanners even though they are functioning as designed.
    - Automated PCI scanners often produce **false positives**, especially around
      application cookies that are not authentication-related.
 * What you can do next
 * To address PCI scan requirements, you’ll want to:
    - Confirm that your site is fully served over **HTTPS**
    - Review server- or host-level cookie policies
    - Consult your **hosting provider or security team** to determine whether cookie
      attributes can or should be modified globally without breaking application
      functionality
 * Because this involves server-level security configuration and PCI interpretation,
   it falls **outside the scope of WooCommerce core support**, but your host should
   be able to help you align the environment with PCI expectations.
 * Thank you for your cooperation and understanding.
 *  Plugin Support [Kay U a11n](https://wordpress.org/support/users/kingsleyinfo/)
 * (@kingsleyinfo)
 * [1 month, 4 weeks ago](https://wordpress.org/support/topic/pci-compliance-and-cookie-security/#post-18837419)
 * Since there’s been no recent activity on this thread, I’m marking it as resolved.
   Don’t hesitate to start a new thread if you need help in the future.

Viewing 2 replies - 1 through 2 (of 2 total)

You must be [logged in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Fpci-compliance-and-cookie-security%2F%3Foutput_format%3Dmd&locale=en_US)
to reply to this topic.

 * ![](https://ps.w.org/woocommerce/assets/icon.svg?rev=3234504)
 * [WooCommerce](https://wordpress.org/plugins/woocommerce/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/woocommerce/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/woocommerce/)
 * [Active Topics](https://wordpress.org/support/plugin/woocommerce/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/woocommerce/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/woocommerce/reviews/)

## Tags

 * [compliance](https://wordpress.org/support/topic-tag/compliance/)
 * [cookies](https://wordpress.org/support/topic-tag/cookies/)
 * [pci](https://wordpress.org/support/topic-tag/pci/)

 * 2 replies
 * 3 participants
 * Last reply from: [Kay U a11n](https://wordpress.org/support/users/kingsleyinfo/)
 * Last activity: [1 month, 4 weeks ago](https://wordpress.org/support/topic/pci-compliance-and-cookie-security/#post-18837419)
 * Status: resolved