Missing HTTP Only option in cookie configuration

• Rule ID: go_lang_cookie_missing_http_only
• Languages: go
• Source: cookie_missing_http_only.yml

Description

Missing the HTTP Only option in cookie configuration exposes cookies to client-side script access. This vulnerability occurs when cookies are set without the HttpOnly attribute, allowing them to be accessible via JavaScript. This can lead to sensitive information being compromised, especially if the site is susceptible to Cross-Site Scripting (XSS) attacks.

Remediations

• Do set the HttpOnly attribute for cookies to true. This action prevents client-side scripts from accessing the cookie, significantly reducing the risk of XSS attacks.

  http.SetCookie(w, &http.Cookie{
      Name:     "session_token",
      Value:    sessionToken,
      HttpOnly: true,
      ...
  })

• Do also consider setting Secure, SameSite, and Domain attributes for cookies. These additional configurations help in further securing cookies against various web vulnerabilities, tailoring the protection to your application's specific needs.

References

• OWASP Secure Session Management Cheat Sheet
• MDN Web Docs: HttpOnly Cookie Attribute

Associated CWE

• CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag

OWASP Top 10

• A05:2021 - Security Misconfiguration

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_lang_cookie_missing_http_only

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_lang_cookie_missing_http_only