Missing secure options for cookie detected.
- Rule ID: javascript_express_insecure_cookie
- Languages: javascript
- Source: insecure_cookie.yml
Description
To make sure cookies don't open your application up to exploits or unauthorized access, make sure to set security options appropriately.
Remediations
✅ Set cookie security values to use HTTP(S) instead of client-side javascript.
✅ Set secure
values to true
to force cookies to only send over HTTPS.
Resources
Associated CWE
- CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag
- CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
OWASP Top 10
Configuration
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=javascript_express_insecure_cookie
To run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=javascript_express_insecure_cookie
Ready to take the next step? Learn more about Bearer Cloud.