Missing secure options for cookie detected.

Description

The "HttpOnly" attribute when set to "true" protects the cookie value from being accessed by client side JavaScript such as reading the "document.cookie" values. By enabling this protection, a website that is vulnerable to Cross-Site Scripting (XSS) will be able to block malicious scripts from accessing the cookie value from JavaScript.

Remediations

✅ Set setHttpOnly to true

cookie.setHttpOnly(true);

Associated CWE

OWASP Top 10

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_cookie_missing_http_only

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_cookie_missing_http_only

Ready to take the next step? Learn more about Bearer Cloud.