Leakage of Sensitive Information in Exception Messages

Overview

Rule ID: javascript_express_cookie_missing_http_only
Applicable Languages: Javascript
Weakness ID: CWE-1004

Description

If the HTTP Only option is not configured, your cookies are at risk. This setting is essential because it prevents client-side JavaScript from accessing cookie values through code like "document.cookie". Enabling HTTP Only is crucial for websites vulnerable to Cross-Site Scripting (XSS) attacks, as it stops malicious scripts from obtaining cookie data.

Remediation Guidelines

Set the HttpOnly attribute to true in your cookie configuration. This ensures that cookies are protected from unauthorized client-side access.
```
cookie({ httpOnly: true });
```

References

Configuration

PreviousMissing Helmet configuration on HTTP headers NextMissing origin check in message handler

Last updated 9 months ago