Missing Secure option in Cookie Configuration

Overview

Rule ID: javascript_express_insecure_cookie
Applicable Languages: Javascript
Weakness ID: CWE-614

Description

When a cookie lacks the Secure attribute, it can be transmitted over an unencrypted connection, making it vulnerable to interception by unauthorized parties. Enabling the Secure attribute ensures that cookies are only sent over HTTPS, enhancing the security of data in transit.

Remediation Guidelines

Do set the secure attribute of cookies to true. This action mandates that cookies are sent only over HTTPS, safeguarding them from potential eavesdropping.
```
cookie({ secure: true });
```

References

Express Security Best Practices
CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
OWASP Top 10: A05:2021 - Security Misconfiguration

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL

PreviousMissing Secure HTTP server Configuration NextMissing Server Configuration to reduce Server Fingerprinting

Last updated 3 months ago