Missing Secure option in cookie configuration

• Rule ID: java_lang_insecure_cookie
• Languages: java
• Source: insecure_cookie.yml

Description

When a cookie lacks the Secure option, it can be transmitted over insecure connections, making it vulnerable to interception by unauthorized parties. The Secure option is important because it instructs the browser to only send the cookie over HTTPS, enhancing security.

Remediations

• Do set the Secure option to true for cookies to ensure they are only sent over HTTPS, enhancing the security of data transmission.

  cookie.setSecure(true);

Associated CWE

• CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

OWASP Top 10

• A05:2021 - Security Misconfiguration

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_insecure_cookie

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_insecure_cookie