Missing secure options for cookie detected.
- Rule ID: express_insecure_cookie
- Languages: javascript
- Source: insecure_cookie.yml
Description
To make sure cookies don't open your application up to exploits or unauthorized access, make sure to set security options appropriately.
Remediations
✅ Set cookie security values to use HTTP(S) instead of client-side javascript.
✅ Set secure values to true to force cookies to only send over HTTPS.
Resources
Associated CWE
- CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag
- CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute