Missing secure options for cookie detected.
- Rule ID: go_gorilla_insecure_cookie
- Languages: go
- Source: insecure_cookie.yml
Description
Cookies are a critical component of web session management. However, improperly secured cookies can expose your application to attacks, such as session hijacking and cross-site scripting (XSS). It's essential to configure cookie security options properly, especially when using session management libraries like Gorilla Sessions in Go.
Remediations
To ensure that cookies, particularly session cookies, are secure:
✅ Configure HttpOnly
Set the HttpOnly
attribute to true
within the Gorilla Sessions cookie store. This prevents client-side scripts from accessing the cookie data, reducing XSS attack risks.
import (
"github.com/gorilla/sessions"
"net/http"
)
var store = sessions.NewCookieStore([]byte("your-secret-key"))
func MyHandler(w http.ResponseWriter, r *http.Request) {
// Get a session. We're ignoring the error resulted from decoding an
// existing session: Get() always returns a session, even if empty.
session, _ := store.Get(r, "session-name")
// Set some session values.
session.Values["foo"] = "bar"
// Set the session to be HttpOnly.
session.Options.HttpOnly = true
// Save changes.
session.Save(r, w)
}
✅ Set Secure Flag
If your site is served over HTTPS, also set the Secure
flag on the cookie to ensure it's transmitted over secure channels only.
✅ Leverage Gorilla SecureCookie
Utilize the encoding/decoding capabilities of Gorilla's SecureCookie to securely store session data.
✅ Implement Strong Session Management
Use Gorilla's session management features to create, renew, and expire sessions in a secure manner, preventing session fixation and other session-related attacks.
Resources
Associated CWE
- CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag
- CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
OWASP Top 10
Configuration
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=go_gorilla_insecure_cookie
To run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=go_gorilla_insecure_cookie
Ready to take the next step? Learn more about Bearer Cloud.