Sensitive cookie with improper SameSite attribute
Description
The `sameSite` attribute is not configured to 'strict' or 'lax' in the session middleware settings, which provides protection against Cross Site Request Forgery attacks.
Examples
Insecure Code
javascript
const session = require('express-session');
const app = express();
app.use(session({ secret: 'secret' }));Secure Code
javascript
const session = require('express-session');
const app = express();
app.use(session({ secret: 'secret', cookie: { sameSite: 'strict' } }));Remediation
Configure the `sameSite` attribute to 'strict' or 'lax' when creating a session, for example: $SESSION({ cookie: { sameSite: 'strict' } })
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0393 |
| Category | Web |
| Severity | MEDIUM |
| CWE | CWE-1275 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | CSRF, Session Management |
| OWASP | A2:2017-Broken Authentication, A07:2021-Identification and Authentication Failures |