Permissive HTTP Only option in cookie configuration

Overview

• Rule ID: java_lang_cookie_with_http_only_false

• Applicable Languages: Java

• Weakness ID: CWE-1004

Description

Failing to set the HTTP Only option to true in cookie configuration exposes your application to attacks, enabling client-side scripts to access cookie values. This vulnerability can result in unauthorized access or exploits.

Remediation Guidelines

• Set HttpOnly to true for cookies to prevent client-side scripts from accessing cookie values. This step is crucial for enhancing your application's security by restricting access to sensitive cookie data.

  Copy

  cookie.setHttpOnly(true);

References

• CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag

• A05:2021 - Security Misconfiguration

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL