Missing HTTP Only option in cookie configuration
- Rule ID: php_lang_cookie_missing_http_only
- Languages: php
- Source: cookie_missing_http_only.yml
Description
Not setting the "httponly" attribute to "true" in cookie configurations leaves the cookie vulnerable to being accessed by client-side JavaScript. This oversight can lead to the exposure of cookie values, especially on websites susceptible to Cross-Site Scripting (XSS) attacks. Enabling "httponly" is a critical step in preventing malicious scripts from reading the cookie values through JavaScript.
Remediations
- Do set the
httponly
attribute totrue
in your cookie configurations. This action prevents client-side scripts from sending or accessing the cookie, enhancing your application's security against XSS attacks.setcookie("name", "value", httponly: true);
References
Associated CWE
OWASP Top 10
Configuration
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=php_lang_cookie_missing_http_only
To run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=php_lang_cookie_missing_http_only