Missing Secure option in cookie configuration
- Rule ID: php_symfony_insecure_cookie
- Languages: php
- Source: insecure_cookie.yml
Description
When a cookie lacks the Secure attribute, it can be transmitted over insecure connections, making it vulnerable to interception by unauthorized parties. The Secure attribute is important because it instructs the browser to only send the cookie over HTTPS, enhancing security.
Remediations
- Do set the
Secure
attribute totrue
for cookies to ensure they are only sent over HTTPS.$cookie = Cookie::create($name, $value);
$cookie->withSecure(true);
References
Associated CWE
OWASP Top 10
Configuration
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=php_symfony_insecure_cookie
To run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=php_symfony_insecure_cookie