Permissive HTTP Only option in cookie configuration

Overview

Rule ID: java_lang_cookie_with_http_only_false
Applicable Languages: Java
Weakness ID: CWE-1004

Description

Failing to set the HTTP Only option to true in cookie configuration exposes your application to attacks, enabling client-side scripts to access cookie values. This vulnerability can result in unauthorized access or exploits.

Remediation Guidelines

Set HttpOnly to true for cookies to prevent client-side scripts from accessing cookie values. This step is crucial for enhancing your application's security by restricting access to sensitive cookie data.
```
cookie.setHttpOnly(true);
```

References

CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag
A05:2021 - Security Misconfiguration

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL

PreviousPermissive cookie configuration NextPermissive Screenshot option set

Last updated 1 month ago