Missing secure options for cookie detected.

• Rule ID: go_gorilla_insecure_cookie
• Languages: go
• Source: insecure_cookie.yml

Description

Cookies are a critical component of web session management. However, improperly secured cookies can expose your application to attacks, such as session hijacking and cross-site scripting (XSS). It's essential to configure cookie security options properly, especially when using session management libraries like Gorilla Sessions in Go.

Remediations

To ensure that cookies, particularly session cookies, are secure:

✅ Configure HttpOnly

Set the HttpOnly attribute to true within the Gorilla Sessions cookie store. This prevents client-side scripts from accessing the cookie data, reducing XSS attack risks.

import (
    "github.com/gorilla/sessions"
    "net/http"
)

var store = sessions.NewCookieStore([]byte("your-secret-key"))

func MyHandler(w http.ResponseWriter, r *http.Request) {
    // Get a session. We're ignoring the error resulted from decoding an
    // existing session: Get() always returns a session, even if empty.
    session, _ := store.Get(r, "session-name")
    // Set some session values.
    session.Values["foo"] = "bar"
    // Set the session to be HttpOnly.
    session.Options.HttpOnly = true
    // Save changes.
    session.Save(r, w)
}

✅ Set Secure Flag

If your site is served over HTTPS, also set the Secure flag on the cookie to ensure it's transmitted over secure channels only.

✅ Leverage Gorilla SecureCookie

Utilize the encoding/decoding capabilities of Gorilla's SecureCookie to securely store session data.

✅ Implement Strong Session Management

Use Gorilla's session management features to create, renew, and expire sessions in a secure manner, preventing session fixation and other session-related attacks.

Resources

• Gorilla Sessions Documentation
• OWASP Session Management Cheat Sheet
• OWASP Cookies Properties

Associated CWE

• CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag
• CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

OWASP Top 10

• A05:2021 - Security Misconfiguration

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_gorilla_insecure_cookie

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_gorilla_insecure_cookie