How to disabled cookie test or set secure for cookie?

[ange007]

Hi.
When conducting security tests, the service complains about a security problem due to cookie checking. Is it possible to somehow exclude cookies from sources or make protected cookies?

[makma]

Hello @ange007, thank you for your question.
Adding a secure cookie attribute would break the usage of this library on the sites running on HTTP.

insecure sites (with HTTP: in the URL) can't set cookies with the Secure attribute

src: MDN
Also, it would cause breaking changes in the already generated fingerprints (see this issue).

At this moment, we can only suggest modifying the FingerprintJS code or adding the cookie entropy source to the WAS exceptions.

[Finesse]

@ange007, yo can find a couple of ways to modify the library code here.

We consider adding a compile-time entropy source list customization in a future version of the library. It will allow excluding entropy sources from the library code completely. But I can't say when we'll implement it.

[ange007]

The WAS exception definitely doesn't fit since it's an external audit. And rewriting the library requires the creation of a fork and separate maintenance due to the use in several microservices, which is not convenient. But thanks for the reply. True, it is rather strange that the choice of generation methods is rigidly prescribed without the possibility of customization. We will look for other solutions and wait until the appropriate switches or settings are added. Thank you.

[Finesse]

One of the methods suggested here doesn't require forking the library.

I understand your problem, but your case is very specific, so it's a low priority.