Plugin Author
Paul
(@paultgoodchild)
Hi, thanks for your question. You are correct not setting the httponly flag does not pose a risk. In fact, it’s required that we don’t set it.
Thanks.
Thanks Paul. When you say “it’s required that we don’t set it.” can you elaborate on this please?
Hi Paul. What I mean is this. If one had to set the httponly attribute for this cookie, would this impact the functionality of a WordPress website in any way? Thank you.
Plugin Author
Paul
(@paultgoodchild)
The purpose of this cookie is to help Shield work around the limitations and errors imposed by page caching plugins, which are, unfortunately, everywhere. A snippet of javascript reads this cookie and uses it to make a request to the site for the purposes of helping Shield distinguish between bots and humans.
Since the cookie is read by javascript, we can’t set the httponly flag, as this would prevent Javascript from reading the cookie.
Hope that helps! 🙂
Also, separately, please understand that when you read general purpose advice and comments about “security” and “httponly” flags, and many other things in the world of “security experts”, they can only ever be general comments. They can’t take into consideration all scenarios and requirements, and they don’t know your site and your requirements. They can only ever be used as pointers and guidance, and in this instance, it certainly doesn’t mean “all cookies should be httponly and if they’re not, you’re at risk“. If you’re reading security “advice” that is given as being inflexible, it might be worth reconsidering where you source your advice. Dogmatic and inflexible commentary isn’t helpful and if anything can lead to unnecessary anxiety.
Bottom line is this: take rigid, one-size-fits-all advice from “security experts” with a large dose of salt.
Hi Paul. Thanks so much for the explanation. It is clear now why httponly attribute is not to be set for this cookie. Makes a lot of sense since java script on the client side requires access to this cookie. Again thanks.
