Missing HTTP Only option in cookie configuration


The absence of the "HttpOnly" attribute in cookie settings leaves the cookie vulnerable to being accessed by client-side JavaScript, such as through "document.cookie". This vulnerability is particularly concerning for websites susceptible to Cross-Site Scripting (XSS) attacks, as it allows malicious scripts to read the cookie value. Properly configuring the "HttpOnly" attribute is a critical step in securing cookies, especially for session management.


  • Do set the HttpOnly attribute to true for cookies, especially session cookies, to prevent them from being accessed by client-side scripts. This is a key measure in mitigating the risk of XSS attacks.
    func MyHandler(w http.ResponseWriter, r *http.Request) {
    session, _ := store.Get(r, "session-name")
    session.Options.HttpOnly = true
    session.Save(r, w)
  • Do use Gorilla SecureCookie for encoding and decoding session data securely. This method provides an additional layer of security for session information.
    var s = sessions.NewCookieStore([]byte("your-secret-key"))
  • Do implement robust session management with Gorilla Sessions. Proper session management helps prevent attacks related to session fixation and enhances overall session security.


Associated CWE

OWASP Top 10


To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_gorilla_cookie_missing_http_only

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_gorilla_cookie_missing_http_only