Missing Secure option in cookie configuration

• Rule ID: go_gorilla_insecure_cookie
• Languages: go
• Source: insecure_cookie.yml

Description

The Secure attribute in cookie configuration is crucial for protecting cookies from unauthorized third-party access. When set to "true," it ensures cookies are only sent over HTTPS, safeguarding the data during transmission.

Remediations

• Do set the Secure flag for cookies if your site uses HTTPS. This action restricts cookies to secure channels, enhancing their security.

  http.SetCookie(w, &http.Cookie{
      Name:     "session_token",
      Value:    sessionToken,
      Secure:   true,
      HttpOnly: true,
  })

• Do use Gorilla SecureCookie for encoding and decoding session data securely. This method provides an additional layer of security for session information.

  var s = sessions.NewCookieStore([]byte("your-secret-key"))

• Do implement robust session management with Gorilla Sessions. Proper session management helps prevent attacks related to session fixation and enhances overall session security.

References

• Gorilla Sessions Documentation
• OWASP Session Management Cheat Sheet
• OWASP Cookies Properties

Associated CWE

• CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

OWASP Top 10

• A05:2021 - Security Misconfiguration

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_gorilla_insecure_cookie

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_gorilla_insecure_cookie