Missing 'HTTPOnly' options in cookie configuration

Description

The "HttpOnly" attribute when set to "true" protects the cookie value from being accessed by client side JavaScript such as reading the "document.cookie" values. By enabling this protection, a website that is vulnerable to Cross-Site Scripting (XSS) will be able to block malicious scripts from accessing the cookie value from JavaScript.

Remediations

✅ Set httpOnly to true to avoid the cookie being sent by client-side scripts.

Associated CWE

OWASP Top 10

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=php_symfony_cookie_missing_http_only

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=php_symfony_cookie_missing_http_only

Ready to take the next step? Learn more about Bearer Cloud.