Sensitive cookie without 'HttpOnly' flag
Description
Session middleware settings: `httpOnly` is explicitly set to false. It ensures that sensitive cookies cannot be accessed by client side JavaScript and helps to protect against cross-site scripting attacks.
Examples
Insecure Code
javascript
const session = require('express-session');
const app = express();
app.use(session({ cookie: { httpOnly: false } }));Secure Code
javascript
const session = require('express-session');
const app = express();
app.use(session({ cookie: { httpOnly: true } }));Remediation
Set `httpOnly` to `true` in session cookie settings to prevent client-side JavaScript from accessing sensitive cookies.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0390 |
| Category | Web |
| Severity | MEDIUM |
| CWE | CWE-1004 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | session, cookie, httpOnly |
| OWASP | A2:2017-Broken Authentication, A07:2021-Identification and Authentication Failures |