Missing HTTP Only option in cookie configuration

• Rule ID: go_gorilla_cookie_missing_http_only
• Languages: go
• Source: cookie_missing_http_only.yml

Description

The absence of the "HttpOnly" attribute in cookie settings leaves the cookie vulnerable to being accessed by client-side JavaScript, such as through "document.cookie". This vulnerability is particularly concerning for websites susceptible to Cross-Site Scripting (XSS) attacks, as it allows malicious scripts to read the cookie value. Properly configuring the "HttpOnly" attribute is a critical step in securing cookies, especially for session management.

Remediations

• Do set the HttpOnly attribute to true for cookies, especially session cookies, to prevent them from being accessed by client-side scripts. This is a key measure in mitigating the risk of XSS attacks.

  func MyHandler(w http.ResponseWriter, r *http.Request) {
      session, _ := store.Get(r, "session-name")
      ...
      session.Options.HttpOnly = true
      session.Save(r, w)
  }

• Do use Gorilla SecureCookie for encoding and decoding session data securely. This method provides an additional layer of security for session information.

  var s = sessions.NewCookieStore([]byte("your-secret-key"))

• Do implement robust session management with Gorilla Sessions. Proper session management helps prevent attacks related to session fixation and enhances overall session security.

References

• Gorilla Sessions Documentation
• OWASP Session Management Cheat Sheet
• OWASP Cookies Properties

Associated CWE

• CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag

OWASP Top 10

• A05:2021 - Security Misconfiguration

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_gorilla_cookie_missing_http_only

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_gorilla_cookie_missing_http_only