Leakage of Sensitive Information in Exception Messages

Overview

• Rule ID: javascript_express_cookie_missing_http_only

• Applicable Languages: Javascript

• Weakness ID: CWE-1004

Description

If the HTTP Only option is not configured, your cookies are at risk. This setting is essential because it prevents client-side JavaScript from accessing cookie values through code like "document.cookie". Enabling HTTP Only is crucial for websites vulnerable to Cross-Site Scripting (XSS) attacks, as it stops malicious scripts from obtaining cookie data.

Remediation Guidelines

• Set the HttpOnly attribute to true in your cookie configuration. This ensures that cookies are protected from unauthorized client-side access.

  Copy

  cookie({ httpOnly: true });

References

• Express Security Best Practices

• CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag

• OWASP Top 10: A05:2021 - Security Misconfiguration

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL