[HTAF4-213] [Pre-submission] HTTPOnly session cookie exposure on the /csstest endpoint

##Description We were able to identify endpoint which prints request headers into the page. This included sensitive HTTPOnly session cookies which shouldn't be accessible in the DOM. ##POC https://█████████/csstest ███████ There will be `JSESSIONID` cookie reflected. ##Suggested fix Remove the page, it's content, or restrict access to it. ## Impact This in combination with any XSS attack will result in session cookie steal and likely authentication bypass (by default this isn't possible because XSS can't access HTTPOnly cookies), since attacker can request `/csstest` page with XSS and read the response. We will try to find one and chain the vulns together.