Cookies can have security attributes to enhance their protection against various attacks. The question asks which attribute ensures that the cookie is only sent over a TLS (encrypted) channel, meaning it is transmitted securely via HTTPS and not over unencrypted HTTP.
Option A ("Secure"): The Secure attribute ensures that the browser only sends the cookie over a secure, encrypted connection (i.e., HTTPS). If a request is made over HTTP, the browser will not include the cookie, preventing it from being intercepted in plaintext. This is the correct answer.
Option B ("HttpOnly"): The HttpOnly attribute prevents the cookie from being accessed by JavaScript (e.g., via document.cookie), mitigating XSS attacks that steal cookies, but it does not enforce transmission over TLS.
Option C ("No_XSS"): This is not a valid cookie attribute; it appears to be a made-up termand does not relate to TLS enforcement.
Option D ("None of the above"): Incorrect, as the Secure attribute directly addresses the requirement.
The correct answer is A, aligning with the CAP syllabus under "Cookie Security" and "Session Management."References: SecOps Group CAP Documents - "Cookie Security Attributes," "Secure Session Management," and "OWASP Session Management Cheat Sheet" sections.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit