Missing Secure option in Cookie Configuration

Overview

Rule ID: javascript_express_insecure_cookie
Applicable Languages: Javascript
Weakness ID: CWE-614

Description

When a cookie lacks the Secure attribute, it can be transmitted over an unencrypted connection, making it vulnerable to interception by unauthorized parties. Enabling the Secure attribute ensures that cookies are only sent over HTTPS, enhancing the security of data in transit.

Remediation Guidelines

Do set the secure attribute of cookies to true. This action mandates that cookies are sent only over HTTPS, safeguarding them from potential eavesdropping.
```
cookie({ secure: true });
```

References

Configuration

PreviousMissing Secure HTTP server Configuration NextMissing Server Configuration to reduce Server Fingerprinting

Last updated 8 months ago