Security scans report as a security risk that CFGLOBALS cookies are not marked as secure. We have been unable to find a way to fix this.
From the Acunetix security scan results:
Identified Cookie(s) CFGLOBALS
Cookie Source HTTP Header
Acunetix 360 identified a cookie not marked as secure, and transmitted over HTTPS.
This means the cookie could potentially be stolen by an attacker who can successfully intercept and decrypt the traffic, or following a successful man-in-the-middle attack.
This cookie will be transmitted over a HTTP connection, therefore if this cookie is important (such as a session cookie), an attacker might intercept it and hijack a victim’s session. If the attacker can carry out a man-in-the-middle attack, he/she can force the victim to make an HTTP request to steal the cookie.
Version Lucee 220.127.116.11
Version Name Gelert
Release date Aug 6, 2021
Remote IP fe80:0:0:0:f910:5c7e:a8d2:f261%23
Servlet Container Apache Tomcat/9.0.41
Java 15.0.1 (Oracle Corporation) 64bit
Windows 64 bit (also happens on Linux)