漏洞修复：Cookie Security: Cookie not Sent Over SSL

漏洞修复：Cookie Security: Cookie not Sent Over SSL 描述

This policy states that any area of the website or web application that contains sensitive information or access to privileged functionality such as remote site administration requires that all cookies are sent via SSL during an SSL session. The URL: https://172.30.57.156:443/api-gateway/portal//api/properties/system-config/detail has failed this policy. If a cookie is marked with the "secure" attribute, it will only be transmitted if the communications channel with the host is a secure one. Currently this means that secure cookies will only be sent to HTTPS (HTTP over SSL) servers. If secure is not specified, a cookie is considered safe to be sent in the clear over unsecured channels

解决方案

nginx
在http下添加
add_header Set-cookie “Path=/; HttpOnly; Secure”;
例如：

http{
    add_header Set-cookie "Path=/; HttpOnly; Secure";
}

shiro
在bean的name为sessionIdcookie和rememberMecookie下增加
cookie.setSecure(true);
例如：

@Bean(name = "sessionIdcookie")
public Simplecookie getSessionIdcookie() {
    Simplecookie cookie = new Simplecookie("sid");
    cookie.setHttpOnly(true);
    cookie.setSecure(true);//加入这句
    return cookie;
}

@Bean(name = "rememberMecookie")
public Simplecookie getRememberMecookie() {
    Simplecookie cookie = new Simplecookie("rememberMe");
    cookie.setHttpOnly(true);
    cookie.setSecure(true);//加入这句
    return simplecookie;
}

参考

https://vulncat.fortify.com/en/detail?id=desc.config.java.cookie_security_cookie_not_sent_over_ssl#Java%2FJSP

https://geekflare.com/httponly-secure-cookie-nginx/

https://www.twblogs.net/a/5e4e2e27bd9eee101df442bf