Missing Secure option in cookie configuration

• Rule ID: java_lang_cookie_missing_secure
• Languages: java
• Source: cookie_missing_secure.yml

Description

Not setting the "Secure" attribute in cookie configuration can lead to unauthorized third-party access. This attribute, when enabled, ensures cookies are sent to the server only over HTTPS, enhancing security by preventing potential eavesdropping.

Remediations

• Do set the setSecure attribute to true to enforce the transmission of cookies over HTTPS only.

  cookie.setSecure(true);

Associated CWE

• CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

OWASP Top 10

• A05:2021 - Security Misconfiguration

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_cookie_missing_secure

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_cookie_missing_secure