Missing HTTP Only option in cookie configuration

• Rule ID: javascript_express_cookie_missing_http_only
• Languages: javascript
• Source: cookie_missing_http_only.yml

Description

Your cookies are at risk if the HTTP Only option is not configured. This setting prevents client-side JavaScript, such as the code that reads "document.cookie" values, from accessing the cookie's value. Enabling this option is crucial for websites prone to Cross-Site Scripting (XSS) attacks, because it prevents malicious scripts from obtaining the cookie's data.

Remediations

• Do set the HttpOnly attribute to true in your cookie configuration. This action ensures that cookies are shielded from unauthorized client-side access.

  cookie({ httpOnly: true });

References

• Express Security Best Practices

Associated CWE

• CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag

OWASP Top 10

• A05:2021 - Security Misconfiguration

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_express_cookie_missing_http_only

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_express_cookie_missing_http_only