FROM CACHE - en_header
Promotion image

'HttpOnly' Flag Missing from User Management Cookies

'HttpOnly' Flag Missing from User Management Cookies

AdrianaMoralesQ
Shopify Partner
1 0 0
‎05-06-2025 12:13 PM

Hi all, 

 

We recently conducted a pen-test on our Shopify storefront via a third party security company. They identified some cookies, flagged as being used for session management, which do not have the HttpOnly attribute set.

 

The cookies flagged were: 

  • _shopify_sa_p
  • _shopify_sa_t
  • _shopify_s
  • _shopify_y
  • _tracking_consent
  • cart-currency
  • keep_alive
  • shopify_pay_redirect

 

Can someone confirm whether these cookies are actually used for session management and whether them lacking HttpOnly can lead to theft via cross-site scripting (XSS) attacks? 

Labels:
300 Views
0 Likes
Report
Replies 0 (0)

Community Blog Articles

441285313-63bbef53-3fbe-4e8b-a706-5b37afa90468.png
Automate store operations with Shopify Academy & Coding with Jan

Learn how to build powerful custom workflows in Shopify Flow with expert guidance from ...

By Jacqui May 7, 2025
April.jpg
Highlighting our Members of April '25

Did You Know? May is named after Maia, the Roman goddess of growth and flourishing! ...

By JasonH May 2, 2025
page_thumb_partner.jpg
Enhance a brand’s visibility with Shopify Academy's new SEO resources

Discover opportunities to improve SEO with new guidance available from Shopify’s growth...

By Jacqui May 1, 2025
Terms of Service Privacy Policy