· Nov 21, 2023

Cookies penetration test remediations

Good day,

We recently had penetration testing conducted on our HealthShare clinical viewer and patient Index instances and below is the recommendation

1. Set a same-site cookie for identified CSPWSERVERID. Please advise where I can do this as I only saw this on web gateway settings and it has enable and disable options only.

2. Avoid the usage of session cookies as an Anti-CSRF Token on identified cookie IRISSessionToken. Please advise if this is used as a session as they mentioned that if it's not used as a session we can ignore their recommended remediation. I found that this is set under %CSP.Login.Please provide a motivation for not removing this if we opt not to remove it as per the findings.

Product version: IRIS 2020.2
Discussion (1)2
Log in or sign up to continue