Missing HTTP Only Option in Cookie Configuration

Overview

Rule ID: java_lang_cookie_missing_http_only
Applicable Languages: Java
Weakness ID: CWE-1004

Description

Not configuring the HTTP Only attribute as true in cookie settings exposes the cookie to potential access by client-side JavaScript. This oversight can lead to the exposure of sensitive cookie values, especially on websites vulnerable to Cross-Site Scripting (XSS) attacks. Enabling HTTP Only is critical to prevent malicious scripts from accessing cookie values through JavaScript.

Remediation Guidelines

To protect cookies from unauthorized access by client-side JavaScript, always set the HTTP Only attribute to true. This is a crucial measure in safeguarding your cookies against XSS vulnerabilities.

cookie.setHttpOnly(true);

Refrences

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL

PreviousMissing database password detected NextMissing Optimal Asymmetric Encryption Padding (OAEP)

Last updated 1 month ago