Skip to content

Security Test: Frontend Cookie Security

Description

Default Severity:

When cookies aren't set to only be shared over encrypted connections or restricted from being accessed by scripts, attackers can grab these cookies and use them to impersonate users. This flaw occurs when developers don't include proper settings—like flags that prevent JavaScript access or ensure cookies are sent only over secure channels. If left unchecked, attackers can hijack sessions or steal sensitive data, leading to unauthorized access and other security issues.

Reference:

Configuration

Identifier: frontend_protocol/header_set_cookie

Examples

All configuration available:

checks:
  frontend_protocol/header_set_cookie:
    skip: false # default

Compliance and Standards

Standard Value
OWASP API Top 10 API7:2023
OWASP LLM Top 10 LLM06:2023
PCI DSS 6.5.10
GDPR Article-32
SOC2 CC1
PSD2 Article-95
ISO 27001 A.14.1
NIST SP800-53
FedRAMP AC-4
CWE 614
CVSS Vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CVSS Score 6.1