Missing secure options for cookie detected

Description

When set to "true", the "HttpOnly" attribute protects the cookie value from being accessed by client side JavaScript such as reading the "document.cookie" values. By enabling this protection, a website that is vulnerable to Cross-Site Scripting (XSS) will be able to block malicious scripts from accessing the cookie value from JavaScript.

Remediations

To enhance cookie security and protect against common web exploits:

✅ Set the HttpOnly attribute for cookies to true. This prevents client-side scripts from accessing the cookie, reducing the risk of client-side attacks.

http.SetCookie(w, &http.Cookie{
Name: "session_token",
Value: sessionToken,
HttpOnly: true, // Secure the cookie from client-side scripts
// Additional flags like Secure, SameSite, etc., should be set as needed.
})

✅ Alongside HttpOnly, consider setting Secure, SameSite, and Domain attributes to further secure cookies based on your application’s requirements.

Resources

For best practices on setting cookies securely, explore:

Associated CWE

OWASP Top 10

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_lang_cookie_missing_http_only

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_lang_cookie_missing_http_only

Ready to take the next step? Learn more about Bearer Cloud.