# Missing Secure option in cookie configuration

## Overview

* **Rule ID**: `java_lang_information_leakage`
* **Applicable Languages**: Java
* **Weakness ID**: CWE-614

## Description

**Failure** to set the "Secure" attribute in cookie configuration can result in unauthorized third-party access. Enabling this attribute ensures that cookies are transmitted to the server exclusively over HTTPS, thereby bolstering security and thwarting potential eavesdropping.

## Remediation Guidelines

* **Ensure** to set the `setSecure` attribute to true to enforce cookies transmission only over HTTPS.

  ```java
  cookie.setSecure(true);
  ```

## References

* [**CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute**](https://cwe.mitre.org/data/definitions/614.html)
* [**A05:2021 - Security Misconfiguration**](https://owasp.org/Top10/A05_2021-Security_Misconfiguration/)

## Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our [**SAST TOOL**](https://scopy.sec1.io/login)