Missing Secure option in cookie configuration

• Rule ID: go_lang_insecure_cookie
• Languages: go
• Source: insecure_cookie.yml

Description

Missing the Secure option in cookie configuration can compromise cookie security. The Secure attribute, when set to true, ensures cookies are sent to the server only over HTTPS, protecting them from interception by unauthorized parties.

Remediations

• Do set the Secure attribute for cookies to true. This ensures cookies are transmitted securely over HTTPS, preventing unauthorized access.

  http.SetCookie(w, &http.Cookie{
      Name:     "session_token",
      Value:    sessionToken,
      Secure:   true,
      // Additional flags like HttpOnly, SameSite, etc., should be set as needed.
  })

• Do also set HttpOnly, SameSite, and Domain attributes for cookies as needed by your application. These attributes provide additional layers of security for your cookies.

References

• OWASP Secure Session Management Cheat Sheet
• MDN Web Docs: HttpOnly Cookie Attribute

Associated CWE

• CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

OWASP Top 10

• A05:2021 - Security Misconfiguration

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_lang_insecure_cookie

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_lang_insecure_cookie