ProductsBook A DemoContact Us

Permissive HTTP Only option in cookie configuration

Overview

  • Rule ID: java_lang_cookie_with_http_only_false

  • Applicable Languages: Java

  • Weakness ID: CWE-1004

Description

Failing to set the HTTP Only option to true in cookie configuration exposes your application to attacks, enabling client-side scripts to access cookie values. This vulnerability can result in unauthorized access or exploits.

Remediation Guidelines

  • Set HttpOnly to true for cookies to prevent client-side scripts from accessing cookie values. This step is crucial for enhancing your application's security by restricting access to sensitive cookie data.

    cookie.setHttpOnly(true);

References

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL

PreviousPermissive cookie configurationNextPermissive Screenshot option set

Last updated