Session store with HttpOnly set to false detected.

Rule ID: ruby_rails_session_with_httponly_disabled
Languages: ruby
Source: session_with_httponly_disabled.yml

Description

To mitigate against Cross-Site Scripting attacks, we should avoid accessing session cookies using JavaScript. By default, Rails avoids this by setting the HttpOnly flag to true on session cookies. Setting this flag to false puts our application at risk of Cross-Site Scripting attacks.

Remediations

❌ Do not disable httponly flag if configuring Rails session_store

Rails.application.config.session_store :cookie_store, key: "some_key", httponly: false

Resources

OWASP HttpOnly

Associated CWE

CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag

OWASP Top 10

A05:2021 - Security Misconfiguration

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=ruby_rails_session_with_httponly_disabled

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=ruby_rails_session_with_httponly_disabled

Ready to take the next step? Learn more about Bearer Cloud.