Session store with HttpOnly set to false detected.
- Rule ID: ruby_rails_session_with_httponly_disabled
- Languages: ruby
- Source: session_with_httponly_disabled.yml
Description
To mitigate against Cross-Site Scripting attacks, we should avoid accessing session cookies using JavaScript. By default, Rails avoids this by setting the HttpOnly flag to true on session cookies. Setting this flag to false puts our application at risk of Cross-Site Scripting attacks.
Remediations
❌ Do not disable httponly flag if configuring Rails session_store
Rails.application.config.session_store :cookie_store, key: "some_key", httponly: false
Resources
Associated CWE
OWASP Top 10
Configuration
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=ruby_rails_session_with_httponly_disabled
To run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=ruby_rails_session_with_httponly_disabled
Ready to take the next step? Learn more about Bearer Cloud.