Missing 'HttpOnly' flag in session cookie configuration

Description

To mitigate against Cross-Site Scripting attacks, we should avoid accessing session cookies using JavaScript. By default, Rails avoids this by setting the HttpOnly flag to true on session cookies. Setting this flag to false puts our application at risk of Cross-Site Scripting attacks.

Remediations

❌ Do not disable httponly flag if configuring Rails session_store

Rails.application.config.session_store :cookie_store, key: "some_key", httponly: false

Resources

Associated CWE

OWASP Top 10

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=ruby_rails_session_with_httponly_disabled

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=ruby_rails_session_with_httponly_disabled

Ready to take the next step? Learn more about Bearer Cloud.