Missing secure options for cookie detected.
- Rule ID: php_lang_insecure_cookie
- Languages: php
- Source: insecure_cookie.yml
Description
To make sure cookies don't open your application up to exploits or unauthorized access, make sure to set security options appropriately.
Remediations
✅ Set httponly to true to avoid the cookie being sent by client-side scripts.
✅ Set secure to true to force cookies to only send over HTTPS.
Associated CWE
- CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag
- CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
OWASP Top 10
Configuration
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=php_lang_insecure_cookieTo run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=php_lang_insecure_cookieReady to take the next step? Learn more about Bearer Cloud.