Missing secure options for cookie detected


When set to "true", the "HttpOnly" attribute protects the cookie value from being accessed by client side JavaScript such as reading the "document.cookie" values. By enabling this protection, a website that is vulnerable to Cross-Site Scripting (XSS) will be able to block malicious scripts from accessing the cookie value from JavaScript.


To enhance cookie security and protect against common web exploits:

✅ Set the HttpOnly attribute for cookies to true. This prevents client-side scripts from accessing the cookie, reducing the risk of client-side attacks.

http.SetCookie(w, &http.Cookie{
Name: "session_token",
Value: sessionToken,
HttpOnly: true, // Secure the cookie from client-side scripts
// Additional flags like Secure, SameSite, etc., should be set as needed.

✅ Alongside HttpOnly, consider setting Secure, SameSite, and Domain attributes to further secure cookies based on your application’s requirements.


For best practices on setting cookies securely, explore:

Associated CWE

OWASP Top 10


To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_lang_cookie_missing_http_only

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_lang_cookie_missing_http_only

Ready to take the next step? Learn more about Bearer Cloud.