Missing HTTP Only Option in Cookie Configuration
Overview
Rule ID:
java_lang_cookie_missing_http_only
Applicable Languages: Java
Weakness ID: CWE-1004
Description
Not configuring the HTTP Only attribute as true
in cookie settings exposes the cookie to potential access by client-side JavaScript. This oversight can lead to the exposure of sensitive cookie values, especially on websites vulnerable to Cross-Site Scripting (XSS) attacks. Enabling HTTP Only is critical to prevent malicious scripts from accessing cookie values through JavaScript.
Remediation Guidelines
To protect cookies from unauthorized access by client-side JavaScript, always set the HTTP Only attribute to true
. This is a crucial measure in safeguarding your cookies against XSS vulnerabilities.
Refrences
Configuration
To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL
Last updated