Missing secure options for cookie detected.

• Rule ID: go_lang_insecure_cookie
• Languages: go
• Source: insecure_cookie.yml

Description

Cookies without proper security settings can be vulnerable to cross-site scripting (XSS) attacks and potentially provide an avenue for unauthorized access to your application.

Remediations

To enhance cookie security and protect against common web exploits:

✅ Use HttpOnly Flag: Set the HttpOnly attribute for cookies to true. This prevents client-side scripts from accessing the cookie, reducing the risk of client-side attacks.

http.SetCookie(w, &http.Cookie{
    Name:     "session_token",
    Value:    sessionToken,
    HttpOnly: true, // Secure the cookie from client-side scripts
    // Additional flags like Secure, SameSite, etc., should be set as needed.
})

✅ Additional Cookie Attributes: Alongside HttpOnly, consider setting Secure, SameSite, and Domain attributes to further secure cookies based on your application’s requirements.

Resources

For best practices on setting cookies securely, explore:

• OWASP Secure Session Management Cheat Sheet
• MDN Web Docs: HttpOnly Cookie Attribute

Associated CWE

• CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag
• CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

OWASP Top 10

• A05:2021 - Security Misconfiguration

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_lang_insecure_cookie

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_lang_insecure_cookie