Missing HTTP Only option in cookie configuration

• Rule ID: ruby_rails_session_with_httponly_disabled
• Languages: ruby
• Source: session_with_httponly_disabled.yml

Description

Disabling httponly in your cookie configuration can expose your application to Cross-Site Scripting (XSS) attacks. This vulnerability occurs when session cookies can be accessed through JavaScript. Rails, by default, protects your application by enabling the HTTP only, which prevents such access. Setting httponly to false greatly increases your application's risk of XSS attacks.

Remediations

• Do not set the httponly flag to false when configuring the Rails session_store.
• Do keep this flag enabled to prevent JavaScript from accessing session cookies and reducing the risk of XSS attacks.

  Rails.application.config.session_store :cookie_store, key: "some_key", httponly: true

References

• OWASP HttpOnly

Associated CWE

• CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag

OWASP Top 10

• A05:2021 - Security Misconfiguration

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=ruby_rails_session_with_httponly_disabled

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=ruby_rails_session_with_httponly_disabled