Cookie missing HttpOnly attribute

Description

Cookie is missing the `HttpOnly` flag or has it explicitly set to `false`. The `HttpOnly` attribute helps mitigate the risk of client-side scripts accessing protected cookies, which is a common target in XSS attacks.

Examples

Insecure Code

java

Cookie sessionCookie = new Cookie("sessionId", "abc123");
response.addCookie(sessionCookie);

Secure Code

java

Cookie sessionCookie = new Cookie("sessionId", "abc123");
sessionCookie.setHttpOnly(true);
response.addCookie(sessionCookie);

Remediation

Ensure `setHttpOnly(true)` is called for any sensitive cookies.

Rule Details

Field	Value
ID	CODE-0671
Category	Web
Severity	LOW
CWE	CWE-1004
Confidence	HIGH
Impact	MEDIUM
Likelihood	LOW
Exploitability	EASY
Tags	cookie, security, xss
OWASP	A6:2017-Security Misconfiguration, A05:2021-Security Misconfiguration

References

https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details

References

SAST Rules

IaC Rules

License Rules

Cookie missing HttpOnly attribute ​

Description ​

Examples ​

Insecure Code ​

Secure Code ​

Remediation ​

Rule Details ​

References ​

Cookie missing HttpOnly attribute

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details

References