Missing HTTP ONLY attribute in session cookie

<session-config>

<cookie-config>

<http-only>true</http-only>

</session-config>

</cookie-config>

CHECKS FOR SRI SUPPORT

Not supporting SRI

<script src="https://example.com/example-framework.js"

        crossorigin="anonymous"></script>

Supporting SRI

<script src="https://example.com/example-framework.js"

integrity="sha384-

oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC

crossorigin="anonymous"></script>

Permanent Cookie Contains Sensitive Session Information

Make sure that sensitive session information such as user credentials or session tokens will always be stored in non-permanent cookies (RAM cookies) only. This is achieved by not setting the "Expires" field in the cookie.

Set "Expires" attribute in the cookie filed.

Unsafe Third-Party link(target=”_blank”)

Add rel="noopener noreferrer" to every link tag with source not in your domain

link tags with target="_blank" attribute to the linked page.

It Prevent phishing attacks if the linked page is malicious.

Fix: <a href="http://example.com" target="_blank" rel="noopener noreferrer">Link</a>

Autocomplete HTML Attribute Not Disabled for Password Field

If “autocomplete” attribute is missing in the “password” field of the “input” field add it to “off”

If “autocomplete” attribute is set it “ON”, change it to “OFF”

Password: <Input type=”Password” name =”last name” autocomplete=”off”>