Missing HTTP Only option in cookie configuration

Description

Not setting the HTTP Only attribute to "true" in cookie configurations leaves the cookie vulnerable to being accessed by client-side JavaScript. This oversight can lead to the exposure of cookie values, especially on websites susceptible to Cross-Site Scripting (XSS) attacks. Enabling HTTP Only is a critical step in preventing malicious scripts from reading the cookie values through JavaScript.

Remediations

  • Do set the HTTP Only attribute to true for cookies to prevent them from being accessed by client-side JavaScript. This is a critical step in safeguarding your cookies against unauthorized access, especially in the context of XSS vulnerabilities.
    cookie.setHttpOnly(true);

Associated CWE

OWASP Top 10

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_cookie_missing_http_only

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_cookie_missing_http_only