Usage of default cookie configuration

• Rule ID: javascript_express_default_cookie_config
• Languages: javascript
• Source: default_cookie_config.yml

Description

Using default cookie configurations can expose your application to security risks. This vulnerability arises when cookies are set with their default values, making them predictable and easier to exploit.

Remediations

• Do not rely on default cookie names.
• Do use generic, non-descriptive names for session cookies. This makes it harder for attackers to identify and exploit the session management mechanism of your application.
• Do always specify a maxAge or expires value to control cookie lifetime.

References

• Express Security Best Practices

Associated CWE

• CWE-693: Protection Mechanism Failure

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_express_default_cookie_config

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_express_default_cookie_config