From 1e1a298851cf2e743a77f25313e498823e3b3a89 Mon Sep 17 00:00:00 2001
From: Elar Lang <elar@hoh.ee>
Date: Thu, 5 Dec 2024 21:43:34 +0200
Subject: [PATCH] #2419 - cookie secure attribute and __Secure- prefix

---
 5.0/en/0x50-V50-Web-Frontend-Security.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/5.0/en/0x50-V50-Web-Frontend-Security.md b/5.0/en/0x50-V50-Web-Frontend-Security.md
index 26f5cbca4b..e89bb5ea79 100644
--- a/5.0/en/0x50-V50-Web-Frontend-Security.md
+++ b/5.0/en/0x50-V50-Web-Frontend-Security.md
@@ -22,7 +22,7 @@ To leverage the benefits of same-origin isolation, applications should be hosted
 
 | # | Description | L1 | L2 | L3 | CWE |
 | :---: | :--- | :---: | :---: | :---: | :---: |
-| **50.2.1** | [MOVED FROM 3.4.1] Verify that cookie-based session tokens have the 'Secure' attribute set. | ✓ | ✓ | ✓ | 614 |
+| **50.2.1** | [MODIFIED, MOVED FROM 3.4.1] Verify that cookies have the 'Secure' attribute set, and if the '\__Host-' prefix is not used for the cookie name, the '__Secure-' prefix must be used for the cookie name. | ✓ | ✓ | ✓ | 614 |
 | **50.2.2** | [MODIFIED, MOVED FROM 3.4.2] Verify that cookie-based session tokens are not readable by client-side scripts. The session token cookie should have the 'HttpOnly' attribute set and the session token value should only be transferred to the client via the Set-Cookie header field. | ✓ | ✓ | ✓ | 1004 |
 | **50.2.3** | [MOVED FROM 3.4.3] Verify that cookie-based session tokens utilize the 'SameSite' attribute to limit exposure to cross-site request forgery attacks. | ✓ | ✓ | ✓ | 1275 |
 | **50.2.4** | [MOVED FROM 3.4.4] Verify that cookie-based session tokens use the "__Host-" prefix so cookies are only sent to the host that initially set the cookie. | ✓ | ✓ | ✓ | 16 |