HomeRoadmapFeature RequestsRelease Notes
API Reference

Third Level Domain Cookies, Potential Pitfalls

Avoid blocking subscriber traffic due to insecure cookies

Suggest Edits

Understanding and Resolving Third-Level Domain Cookie Issues**

Overview
Your StatusCast website offers the flexibility to choose a third-level domain (ex: yourname.ourdomain.com) to use for your status page. Due to some recent security changes, some of our customers may now experience their status page being blocked by our firewall. The most likely source for this issue pertains to the way cookies are set and used across third-level domains.

What are Third-Level Domain Cookies?
A third-level domain cookie is set by a website and can be accessed by other websites or subdomains within the same primary domain. For example, a cookie set by blog.yourdomain.com can potentially be accessed by shop.yourdomain.com. This can be useful for maintaining user sessions or preferences across various subdomains.

The Problem
Issues arise when these cookies are not properly configured, leading to potential security risks. Our firewall is designed to detect and block such risks, which can result in your web pages being inaccessible to users with certain types of cookies.

Common Causes
Broad Domain Specification in Cookies: If a cookie is set with a domain attribute like .ourdomain.com, it becomes accessible across all subdomains, which might not be intended.
Insecure Cookie Settings: Cookies set without proper security attributes (like Secure or HttpOnly flags) can make your site vulnerable.

Cross-Domain Scripting Risks: Allowing cookies to be accessed across different third-level domains can potentially expose your site to cross-scripting attacks.

How to Resolve the Issue

  1. Restrict Cookie Scope
    Set specific subdomain names in your cookies. Instead of .yourdomain.com, specify www.yourdomain.com to restrict the cookie to that specific subdomain.
  2. Secure Your Cookies
    Use the 'Secure' attribute to ensure cookies are sent only over HTTPS.
    Implement 'HttpOnly' attribute to prevent cookies from being accessed via JavaScript.
  3. Review and Update Your Cookie Policy
    Regularly review how cookies are used on your site.
    Update your cookie policy to reflect the best practices for security and privacy.
  4. Test Your Website
    After making changes, thoroughly test your website to ensure that it functions correctly without triggering firewall blocks.

For more information regarding StatusCast's firewall updates, please reference: https://status.statuscast.com/incident/520600

Updated 3 months ago