Permissive HTTP Only option in cookie configuration

• Rule ID: java_lang_cookie_with_http_only_false
• Languages: java
• Source: cookie_with_http_only_false.yml

Description

Leaving the HTTP Only option in cookie configuration unset or false can expose your application to attacks by allowing client-side scripts to access cookie values. This vulnerability can lead to unauthorized access or exploits.

Remediations

• Do set HttpOnly to true for cookies to prevent client-side scripts from accessing the cookie values. This step is crucial for enhancing the security of your application by limiting access to cookie data.

  cookie.setHttpOnly(true);

Associated CWE

• CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag

OWASP Top 10

• A05:2021 - Security Misconfiguration

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_cookie_with_http_only_false

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_cookie_with_http_only_false