Missing 'HTTPOnly' options in cookie configuration

Description

The "HttpOnly" attribute when set to "true" protects the cookie value from being accessed by client side JavaScript such as reading the "document.cookie" values. By enabling this protection, a website that is vulnerable to Cross-Site Scripting (XSS) will be able to block malicious scripts from accessing the cookie value from JavaScript.

Remediations

✅ Set cookie security values to use HTTP(S) instead of client-side javascript.

  cookie({{ httpOnly: true }})

Resources

Associated CWE

OWASP Top 10

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_express_cookie_missing_http_only

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_express_cookie_missing_http_only

Ready to take the next step? Learn more about Bearer Cloud.