Can anyone confirm this? In** 10.8.5** I've set a cookie policy in

Startup.cs

like this: app.UseCookiePolicy(new CookiePolicyOptions { Secure = CookieSecurePolicy.Always, HttpOnly = Microsoft.AspNetCore.CookiePolicy.HttpOnlyPolicy.Always }); This should ensure ASP.NET sets all cookies as both Secure and HttpOnly. However, once I've done this and cleared all cookies and then I try and log into the back office then it doesn't load correctly. I can see that all of the Umbraco Angular.js controllers that make XHR requests fail to load and return a

417 Expectation Failed

error. See screenshot. As soon as I remove the HttpOnly option it all loads again. Before reporting this I just want to check whether anyone can confirm this or whether it's somehow peculiar to my set-up? https://cdn.discordapp.com/attachments/1227205763328507975/1227205763680960542/image.png?ex=66278f6e&is=66151a6e&hm=15226dacf566592f76310b3df7322a42f7b1458abc85dc0895bf071fd0b06654&

That's probably correct, but it might work if you actually force umbraco to be on https, not sure https://docs.umbraco.com/umbraco-cms/extending/health-check/guides/httpsconfiguration If that doesn't help then it's because, you're changing the behavior that we expect. As a rule of thumb: let us worry about securing the backoffice, you should worry about securing everything else you build. So my recommendation would be to only apply the policy if the route isn't under

umbraco

.

Yeah, reading up it appears that HttpOnly cookies are not accessible to JavaScript, so it makes sense that it would break the Angular controllers that might use them. I hadn't realised this, so my bad. So it only makes sense to set this for cookies that are fully server-side. The trouble is, a client gets a pen test and they flag these things and insist they are fixed, and aren't aware of the nuances of security. Cheers!

Yeah we questions like these all the time, the team is happy to send an official reply back if you mail them at security@umbraco.com to ease the minds of the security people.

Out of curiousity, why did you want to limit ASP.NET to HttpOnly cookies if you weren't aware of the non-JS-accessibility thing? That's usually what I'm after when using HttpOnly. 🙂