Missing Secure option in cookie configuration

• Rule ID: javascript_express_insecure_cookie
• Languages: javascript
• Source: insecure_cookie.yml

Description

When a cookie lacks the Secure attribute, it can be transmitted over an unencrypted connection, making it vulnerable to interception by unauthorized parties. Enabling the Secure option ensures that cookies are only sent over HTTPS, enhancing the security of data in transit.

Remediations

• Do set the secure attribute of cookies to true. This action mandates that cookies are sent only over HTTPS, safeguarding them from potential eavesdropping.

  cookie({ secure: true });

References

• Express Security Best Practices

Associated CWE

• CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

OWASP Top 10

• A05:2021 - Security Misconfiguration

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_express_insecure_cookie

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_express_insecure_cookie