Μη ασφαλή tracking cookies (προβλήματα Secure ή SameSite)

Γιατί έχει σημασία

Τα tracking cookies χωρίς κατάλληλα security attributes αυξάνουν τον κίνδυνο ακούσιας έκθεσης ή ασυνεπούς συμπεριφοράς μεταξύ browsers. Ακόμη κι αν το consent έχει διορθωθεί, αυτό παραμένει ξεχωριστό τεχνικό πρόβλημα.

Πώς να το επαληθεύσετε χειροκίνητα

1. Inspect cookies in browser storage tools after analytics or marketing tags load.
2. Check whether tracking cookies include Secure, HttpOnly where applicable, and an appropriate SameSite value.
3. Verify cookie behavior over HTTPS and behind production reverse proxies, not just locally.

Τυπικές αιτίες

• Framework defaults are overridden or outdated.
• Proxy or CDN terminates HTTPS but origin app still thinks the request is insecure.
• Third-party tools set cookies with legacy defaults you have not reviewed.

Διόρθωση στο GTM

1. Review whether custom GTM scripts set their own cookies without explicit attributes.
2. Avoid custom tracking logic that writes cookies client-side unless necessary.
3. Prefer vendor integrations that support secure defaults and consent-aware behavior.

Διόρθωση σε WordPress ή CMP plugins

1. Audit SEO, analytics, and marketing plugins that create client-side cookies.
2. Update plugins and review cookie settings exposed in their dashboards.
3. Verify reverse proxy or HTTPS detection settings in WordPress and hosting config.

Γενική διόρθωση για developers

1. Set Secure on cookies delivered over HTTPS.
2. Choose SameSite=Lax or SameSite=None; Secure based on the actual cross-site use case.
3. Test behavior in the real production environment, not only local development.

Πώς να επιβεβαιώσετε ότι η διόρθωση λειτουργεί

• Inspect cookies again after deployment and confirm attributes changed as expected.
• Test in Chrome and another major browser to catch cross-browser differences.
• Run a fresh scan and verify the insecure-cookie finding clears.