Insecure Rails Cookie Attributes
Description
The code sets a Rails cookie with insecure attributes, which can lead to security vulnerabilities. Specifically, the cookie is set with either same-site attribute set to 'none' or 'lax', or the httponly or secure attributes set to false.
Examples
Insecure Code
ruby
cookies[:my_cookie] = { value: '...', same_site: :none, httponly: false, secure: false }Secure Code
ruby
cookies[:my_cookie] = { value: '...', same_site: :strict, httponly: true, secure: true }Remediation
Update the cookie attributes to use same-site='strict', httponly=true, and secure=true. For example: cookies[$ANY] = { value: '...', same_site: :strict, httponly: true, secure: true }
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0770 |
| Category | Web |
| Severity | MEDIUM |
| CWE | CWE-345 |
| Confidence | HIGH |
| Impact | LOW |
| Likelihood | HIGH |
| Exploitability | EASY |
| Tags | cookie, insecure-attribute |
| OWASP | N/A |
References
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie
- https://api.rubyonrails.org/classes/ActionDispatch/Session/CookieStore.html