Usage of default Cookie Configuration

Overview

Rule ID: javascript_express_default_cookie_config
Applicable Languages: Javascript
Weakness ID: CWE-693

Description

Using default cookie configurations can expose your application to security risks. This vulnerability occurs when cookies are set with default values, making them predictable and easier for attackers to exploit.

Remediation Guidelines

Do not rely on default cookie names.
Do use generic, non-descriptive names for session cookies. This makes it harder for attackers to identify and exploit your application's session management mechanism.
Do always specify a maxAge or expires value to control the cookie's lifetime.

References

Express Security Best Practices
CWE-693: Protection Mechanism Failure

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL

PreviousUnsanitized user input in XML parsing method NextUsage of Default Session Cookie Configuration

Last updated 1 month ago