Unsafe cookie serialization strategy detected.

Description

JSON is the safest serialization strategy for untrusted data, such as cookie data, to avoid malicious code injection. By default, Rails uses JSON to serialize cookie values.

Remediations

❌ Avoid overriding the default cookie serializer

Rails.application.config.action_dispatch.cookies_serializer = :marshal

❌ Use the hybrid (Marshal and JSON) serializer option as a temporary solution only, for example when migrating from Marshal to JSON.

Rails.application.config.action_dispatch.cookies_serializer = :hybrid

Resources

Associated CWE

OWASP Top 10

Ready to take the next step? Join the Bearer Cloud waitlist.