Missing secure options for cookie detected.
- Rule ID: javascript_express_insecure_cookie
- Languages: javascript
- Source: insecure_cookie.yml
Description
To make sure cookies don't open your application up to exploits or unauthorized access, make sure to set security options appropriately.
Remediations
✅ Set cookie security values to use HTTP(S) instead of client-side javascript.
✅ Set secure
values to true
to force cookies to only send over HTTPS.
Resources
Associated CWE
- CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag
- CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
OWASP Top 10
Ready to take the next step? Join the Bearer Cloud waitlist.