Description
What
Add the Secure attribute to all client-set cookies (impactSource, impactAnonymousId, impactClickId, impactPartnerId, gclid, and any cookie written via setCookie()).
Also fixes a stray single-quote bug in setCookie() that was silently malforming the cookie string (domain=internxt.com').
Files changed:
src/app/analytics/utils.ts—setCookie()andsetImpactCookies()src/views/Checkout/views/CheckoutViewWrapper.tsx—gclidcookie
Why
A security audit flagged that session and tracking cookies were being set without the Secure flag, meaning the browser could transmit them over unencrypted HTTP connections. This opens the door to man-in-the-middle attacks where an attacker on the network path could intercept or replay cookie values.
Adding Secure ensures cookies are only sent over HTTPS, closing that transmission vector. No SameSite changes were made to avoid altering the existing cross-site behavior of analytics tracking.
Related Issues
None
Related Pull Requests
None
Checklist
- Changes have been tested locally.
- Unit tests have been written or updated as necessary.
- The code adheres to the repository's coding standards.
- Relevant documentation has been added or updated.
- No new warnings or errors have been introduced.
- SonarCloud issues have been reviewed and addressed.
- QA Passed
Testing Process
Set in the related Jira ticket.
Additional Notes
This needs a review from marketing as this may — or may not — affect analytics