Missing secure options for cookie detected.
- Rule ID: go_lang_insecure_cookie
- Languages: go
- Source: insecure_cookie.yml
Cookies without proper security settings can be vulnerable to cross-site scripting (XSS) attacks and potentially provide an avenue for unauthorized access to your application.
To enhance cookie security and protect against common web exploits:
✅ Use HttpOnly Flag: Set the
HttpOnly attribute for cookies to
true. This prevents client-side scripts from accessing the cookie, reducing the risk of client-side attacks.
HttpOnly: true, // Secure the cookie from client-side scripts
// Additional flags like Secure, SameSite, etc., should be set as needed.
✅ Additional Cookie Attributes: Alongside
HttpOnly, consider setting
Domain attributes to further secure cookies based on your application’s requirements.
For best practices on setting cookies securely, explore:
- CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag
- CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
OWASP Top 10
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=go_lang_insecure_cookie
To run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=go_lang_insecure_cookie
Ready to take the next step? Learn more about Bearer Cloud.