Missing 'HttpOnly' option in cookie configuration


When set to "true", the "HttpOnly" attribute protects the cookie value from being accessed by client side JavaScript such as reading the "document.cookie" values. By enabling this protection, a website that is vulnerable to Cross-Site Scripting (XSS) will be able to block malicious scripts from accessing the cookie value from JavaScript.

It's essential to configure cookie security options properly, especially when using session management libraries like Gorilla Sessions in Go.


To ensure that cookies, particularly session cookies, are secure:

✅ Configure HttpOnly

Set the HttpOnly attribute to true within the Gorilla Sessions cookie store. This prevents client-side scripts from accessing the cookie data, reducing XSS attack risks.

import (

var store = sessions.NewCookieStore([]byte("your-secret-key"))

func MyHandler(w http.ResponseWriter, r *http.Request) {
// Get a session. We're ignoring the error resulted from decoding an
// existing session: Get() always returns a session, even if empty.
session, _ := store.Get(r, "session-name")
// Set some session values.
session.Values["foo"] = "bar"
// Set the session to be HttpOnly.
session.Options.HttpOnly = true
// Save changes.
session.Save(r, w)

✅ Leverage Gorilla SecureCookie

Utilize the encoding/decoding capabilities of Gorilla's SecureCookie to securely store session data.

✅ Implement Strong Session Management

Use Gorilla's session management features to create, renew, and expire sessions in a secure manner, preventing session fixation and other session-related attacks.


Associated CWE

OWASP Top 10


To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_gorilla_cookie_missing_http_only

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_gorilla_cookie_missing_http_only

Ready to take the next step? Learn more about Bearer Cloud.