Usage of insecure cookie settings

• Rule ID: python_django_insecure_cookie_settings
• Languages: python
• Source: insecure_cookie_settings.yml

Description

Using insecure cookie settings when configuring your application poses a significant security risk. If session (or CSRF) cookies are transmitted over an unencrypted HTTP connection, an attacker could capture a cookie and use this to hijack a user's session, thereby gaining unauthorized access to - potentially sensitive - data and resources.

To prevent this vulnerability, always enable to secure attributes for session and CSRF cookies in your settings.py file. This is especially important for production environments.

Remediations

• Do not disable secure session cookies or CSRF cookies in production environments

  SESSION_COOKIE_SECURE = False # unsafe
  CSRF_COOKIE_SECURE = False # unsafe

Associated CWE

• CWE-693: Protection Mechanism Failure

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=python_django_insecure_cookie_settings

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=python_django_insecure_cookie_settings