Missing Secure option in cookie configuration

Description

When set to "true", the "Secure" attribute ensures that a client will only send the cookie to the server when HTTPS is being used. This prevents the cookie from being observed by unauthorized third parties.

Remediations

To enhance cookie security and protect against common web exploits:

✅ Set the Secure attribute for cookies to true. This prevents the cookie from being observed by unauthorized third parties.

http.SetCookie(w, &http.Cookie{
Name: "session_token",
Value: sessionToken,
Secure: true,
// Additional flags like HttpOnly, SameSite, etc., should be set as needed.
})

✅ Alongside Secure, consider setting HttpOnly, SameSite, and Domain attributes to further secure cookies based on your application’s requirements.

Resources

For best practices on setting cookies securely, explore:

Associated CWE

OWASP Top 10

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_lang_insecure_cookie

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_lang_insecure_cookie