This thread is resolved. Here is a description of the problem and solution.
Problem:
The client is concerned about security issues identified in a security report, specifically that the HttpOnly flag is missing in the cookie definition, and a session cookie is not marked as secure, even though it is transmitted over HTTPS.
Solution:
We recommend setting the HttpOnly flag on cookies that contain sensitive information, such as session identifiers or user credentials, to mitigate the risk of Cross-Site Scripting (XSS) attacks. However, it's important to note that WPML cookies do not store any sensitive information; they only store the language code. Since a language code is not a session identifier, it does not pose the same security risks. For more details, you can visit our documentation on browser cookies stored by WPML at https://wpml.org/documentation/support/browser-cookies-stored-wpml/.
If this solution does not apply to your case, or if it seems outdated, we highly recommend checking related known issues at https://wpml.org/known-issues/, verifying the version of the permanent fix, and confirming that you have installed the latest versions of themes and plugins. If further assistance is needed, please open a new support ticket at our support forum.
This is the technical support forum for WPML - the multilingual WordPress plugin.
Everyone can read, but only WPML clients can post here. WPML team is replying on the forum 6 days per week, 22 hours per day.
This topic contains 1 reply, has 0 voices.
Last updated by 1 week, 2 days ago.
Assisted by: Andreas W..
