Missing HTTP Only option in cookie configuration

• Rule ID: php_symfony_cookie_missing_http_only
• Languages: php
• Source: cookie_missing_http_only.yml

Description

Not setting the "httpOnly" attribute to "true" in cookie configurations leaves the cookie vulnerable to being accessed by client-side JavaScript. This oversight can lead to the exposure of cookie values, especially on websites susceptible to Cross-Site Scripting (XSS) attacks. Enabling "httpOnly" is a critical step in preventing malicious scripts from reading the cookie values through JavaScript.

Remediations

• Do set the httpOnly attribute to true in your cookie configurations. This action prevents client-side scripts from sending or accessing the cookie, enhancing your application's security against XSS attacks.

  Cookie::create($name, $value, httpOnly: true);

References

• OWASP Session Management Cheat Sheet
• OWASP Cookies Properties

Associated CWE

• CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag

OWASP Top 10

• A05:2021 - Security Misconfiguration

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=php_symfony_cookie_missing_http_only

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=php_symfony_cookie_missing_http_only