Missing Secure option in cookie configuration

Overview

Rule ID: java_lang_information_leakage
Applicable Languages: Java
Weakness ID: CWE-614

Description

Failure to set the "Secure" attribute in cookie configuration can result in unauthorized third-party access. Enabling this attribute ensures that cookies are transmitted to the server exclusively over HTTPS, thereby bolstering security and thwarting potential eavesdropping.

Remediation Guidelines

Ensure to set the setSecure attribute to true to enforce cookies transmission only over HTTPS.
```
cookie.setSecure(true);
```

References

CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
A05:2021 - Security Misconfiguration

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL

PreviousMissing Protection against Session Fixation Attacks NextMissing signature verification of JWT

Last updated 8 months ago