Cookie Security¶
Description¶
A cookie has been set without any secure flag, which means that the cookie can be accessed via unencrypted connections or that JavaScript code can access the cookie. If a malicious script runs on this page, then the cookie will be accessible and can be transmitted to another hacker-controlled site. If this is a session cookie, then session hijacking may be possible.
Remediation¶
Whenever a cookie contains sensitive information or is a session token, it should always be passed using an encrypted channel. Set HttpOnly, SameSite and Secure directives in Set-Cookie header.
GraphQL Specific¶
Apollo
Ensure that the Apollo framework engine is configured to set secure, HttpOnly, and SameSite attributes for all cookies. Secure attributes ensure cookies are sent over HTTPS, HttpOnly prevents JavaScript access to cookies, reducing the risk of cross-site scripting attacks, and SameSite attributes prevent the browser from sending cookies along with cross-site requests. Additionally, consider implementing a strong cookie policy that defines the scope and lifetime of cookies to minimize exposure to potential vulnerabilities.Yoga
Ensure that the Yoga framework engine is configured to set secure, HttpOnly, and SameSite attributes for all cookies. Secure attributes ensure cookies are sent over HTTPS, HttpOnly prevents JavaScript access to cookies, reducing the risk of cross-site scripting attacks, and SameSite attributes prevent the browser from sending cookies along with cross-site requests. Additionally, consider implementing a Content Security Policy (CSP) to further mitigate the risk of XSS attacks.Awsappsync
Ensure that cookies used by AWS AppSync for authentication and session management are secured with appropriate flags such as 'Secure', 'HttpOnly', and 'SameSite'. Set the 'Secure' flag to ensure cookies are sent over HTTPS connections only. Use the 'HttpOnly' flag to prevent access to cookie data via JavaScript. Apply the 'SameSite' attribute with a value of 'Strict' or 'Lax' to mitigate the risk of cross-site request forgery (CSRF) attacks. Regularly review and validate the configuration to maintain strong cookie security.Graphqlgo
For enhancing cookie security in a GraphQL Go framework engine, ensure that cookies used for sensitive operations like session handling are flagged with secure attributes. Set 'HttpOnly' to prevent client-side script access to the cookie, 'Secure' to ensure transmission over HTTPS, and consider 'SameSite' attributes to mitigate CSRF attacks. Additionally, implement proper cookie expiration and rotation policies.Graphqlruby
In the GraphQL Ruby framework, ensure that cookies used for session management or sensitive data storage are secure by setting the 'secure' flag, which ensures cookies are sent over HTTPS only. Additionally, set the 'HttpOnly' flag to prevent client-side scripts from accessing the cookie data. Implement 'SameSite' attribute to mitigate CSRF attacks. Regularly update the framework and dependencies to incorporate security patches. Use middleware for cookie management to abstract security complexities and ensure consistent application of these security measures across your application.Hasura
Ensure that the Hasura engine's cookie settings include secure attributes and HttpOnly flags. Set the 'SameSite' attribute to 'Strict' or 'Lax' to mitigate CSRF attacks. Regularly update the Hasura engine to incorporate security patches for cookie handling.Agoo
Ensure cookies are set with the 'Secure' and 'HttpOnly' flags in the Agoo framework to prevent access via unencrypted connections and mitigate the risk of JavaScript access.Ariadne
Ensure cookies are set with the 'Secure' and 'HttpOnly' flags in the Ariadne framework to prevent unauthorized access and transmission over unencrypted connections.Caliban
Ensure cookies are set with the 'Secure' and 'HttpOnly' flags in the Caliban framework to prevent unauthorized access and transmission over unencrypted connections.Dgraph
Ensure cookies are set with the 'Secure' and 'HttpOnly' flags in the Dgraph framework to prevent unauthorized access and transmission over unencrypted connections.Dianajl
Ensure cookies are set with the 'Secure' and 'HttpOnly' flags in the DianaJL framework engine to prevent unauthorized access and transmission over unencrypted connections.Directus
Ensure cookies are set with the 'Secure' and 'HttpOnly' flags in the Directus framework to prevent unauthorized access and transmission over unencrypted connections.Flutter
Ensure cookies are set with the 'secure' and 'httpOnly' flags in the Flutter framework to prevent access via unencrypted connections and mitigate the risk of JavaScript access.Graphene
Ensure cookies are set with the 'Secure' and 'HttpOnly' flags in the Graphene framework to prevent unauthorized access and transmission over unencrypted connections.Graphqlapiforwp
Ensure cookies are set with the 'Secure' and 'HttpOnly' flags in the GraphQL API for WP framework to prevent unauthorized access and transmission over unencrypted connections.Graphqlgophergo
Ensure cookies are set with the 'Secure' and 'HttpOnly' flags in the GraphQLGopherGo framework to prevent unauthorized access and transmission over unencrypted connections.Graphqljava
Ensure cookies are set with the 'Secure' and 'HttpOnly' flags in the GraphQL Java framework to prevent unauthorized access and transmission over unencrypted connections.Graphqlphp
Ensure cookies are set with the 'Secure' and 'HttpOnly' flags in the GraphQL PHP framework to prevent unauthorized access and transmission over unencrypted connections.Graphqlyoga
Ensure cookies are set with the 'Secure' and 'HttpOnly' flags in the GraphQL Yoga framework to prevent unauthorized access and transmission over unencrypted connections.Hypergraphql
Ensure cookies are set with the 'Secure' and 'HttpOnly' flags in the HyperGraphQL framework to prevent unauthorized access and transmission over unencrypted connections.Jaal
Ensure cookies are set with the Secure and HttpOnly flags in the Jaal framework to prevent unauthorized access and transmission over unencrypted connections.Juniper
Ensure cookies are set with the 'Secure' and 'HttpOnly' flags in the Juniper framework to prevent unauthorized access and transmission over unencrypted connections.Lacinia
Ensure cookies are set with the 'Secure' and 'HttpOnly' flags in the Lacinia framework to prevent unauthorized access and transmission over unencrypted connections.Lighthouse
Ensure cookies are set with the Secure and HttpOnly flags to prevent unauthorized access and transmission over unencrypted connections.Mercurius
Ensure cookies are set with the 'Secure' and 'HttpOnly' flags in the Mercurius framework to prevent unauthorized access and transmission over unencrypted connections.Morpheusgraphql
Ensure cookies are set with the 'Secure' and 'HttpOnly' flags in the MorpheusGraphQL framework to prevent unauthorized access and transmission over unencrypted connections.Qglgen
Ensure cookies are set with the 'Secure' and 'HttpOnly' flags in the gqlgen framework to prevent unauthorized access and transmission over unencrypted connections.Sangria
Ensure cookies are set with the 'Secure' and 'HttpOnly' flags in the Sangria framework to prevent unauthorized access and transmission over unencrypted connections.Shopify
Ensure cookies are set with the 'Secure' and 'HttpOnly' flags in the Shopify framework to prevent unauthorized access and transmission over unencrypted connections.Stepzen
Ensure cookies are set with the 'Secure' and 'HttpOnly' flags in the StepZen framework to prevent access via unencrypted connections and mitigate the risk of session hijacking.Strawberry
Ensure cookies are set with the 'Secure' and 'HttpOnly' flags in the Strawberry Framework engine to prevent unauthorized access and transmission over unencrypted connections.Tartiflette
Ensure cookies are set with the 'Secure' and 'HttpOnly' flags in the Tartiflette framework to prevent unauthorized access and transmission over unencrypted connections.Wpgraphql
Ensure cookies are set with the 'Secure' and 'HttpOnly' flags in the wpgraphql framework to prevent unauthorized access and transmission over unencrypted connections.REST Specific¶
Asp_net
In the ASP.NET framework, ensure that cookies, especially those containing sensitive information or used for session management, have the 'Secure' flag set. This can be done by setting the 'Secure' property to 'true' on the HttpCookie object before adding it to the response. Additionally, set the 'HttpOnly' flag to 'true' to prevent client-side scripts from accessing the cookie. This can help mitigate the risk of cookie theft via cross-site scripting (XSS) attacks.Ruby_on_rails
In Ruby on Rails, ensure that cookies containing sensitive information are set with the 'secure' flag to prevent transmission over non-HTTPS connections. Additionally, use the 'http_only' flag to prevent client-side scripts from accessing the cookie. This can be implemented by setting 'secure: true' and 'http_only: true' in the cookie options. For example: `cookies[:user_session] = { value: 'session_token', secure: true, http_only: true }`.Next_js
Ensure that all cookies in your Next.js application are set with the 'Secure' attribute, which ensures they are only sent over HTTPS. Additionally, use the 'HttpOnly' attribute to prevent JavaScript access to the cookies, mitigating the risk of cross-site scripting (XSS) attacks. Implement these attributes in your server-side code where cookies are set, and consider using the 'next-cookies' library or similar middleware for better cookie management.Laravel
In Laravel, ensure that cookies are set with the 'secure' flag by using the 'secure' option in your config/session.php configuration file. Set 'secure' to 'true' to enforce cookies to be sent over HTTPS only. Additionally, use the 'http_only' option to prevent JavaScript access to session cookies, mitigating the risk of client-side script attacks.Express_js
In Express.js, ensure that cookies are set with the 'secure' flag and, if applicable, the 'httpOnly' flag to prevent access over unencrypted connections and to mitigate the risk of client-side script access. Use the 'cookie-parser' middleware to manage cookies and set these flags appropriately when setting cookies. For example, res.cookie('name', 'value', { secure: true, httpOnly: true });Django
In Django, ensure that the 'SESSION_COOKIE_SECURE' setting is set to True so that the session cookie is marked as 'secure' and transmitted only over HTTPS. Additionally, set 'CSRF_COOKIE_SECURE' to True to secure the CSRF cookie. Use 'SESSION_COOKIE_HTTPONLY' to prevent JavaScript access to session cookies. These settings help mitigate the risk of cookie theft via man-in-the-middle attacks or XSS.Symfony
In Symfony, ensure that all cookies, especially session cookies, are set with the 'secure' flag and the 'httpOnly' flag. This can be done by configuring the framework's session settings in the 'config/packages/framework.yaml' file. Set 'cookie_secure' to 'auto' or 'true' to enforce cookies over HTTPS, and 'cookie_httponly' to 'true' to prevent JavaScript access. For example: 'session: { cookie_secure: true, cookie_httponly: true }'. Additionally, review and update any manual setcookie() calls to include these flags.Spring_boot
In Spring Boot, ensure that cookies, especially session cookies, are secured by setting the 'secure' flag to true. This can be done by configuring the server.session.cookie.secure property in the application.properties or application.yml file. Additionally, set the 'HttpOnly' flag to prevent JavaScript access to the cookie. For example, in application.properties, add server.servlet.session.cookie.secure=true and server.servlet.session.cookie.http-only=true to enforce these security measures.Flask
In Flask, ensure that cookies are set with the 'secure' flag by using the 'set_cookie' method with 'secure=True'. Additionally, set the 'HttpOnly' flag to prevent JavaScript access by using 'httponly=True'. For example: 'response.set_cookie('cookie_name', 'cookie_value', secure=True, httponly=True)'. This will help protect against interception and access by unauthorized parties.Nuxt
In Nuxt.js, ensure that all cookies are set with the 'secure' flag to enforce transmission over encrypted connections. Additionally, use the 'httpOnly' flag to prevent JavaScript access to the cookie. This can be achieved by configuring the cookie settings in your application's middleware or by using libraries such as 'cookie-universal-nuxt' for server-side cookie handling. Always validate and sanitize inputs to mitigate the risk of XSS attacks, which can lead to cookie theft.Fastapi
In FastAPI, ensure that cookies are set with the 'secure' flag by using the 'response.set_cookie' method with the 'secure=True' parameter. Additionally, set the 'httponly=True' parameter to prevent JavaScript access to the cookie. This will help protect the cookie during transmission over unencrypted connections and from access by client-side scripts.Frappe
Set the 'secure' and 'HttpOnly' flags for cookies in the Frappe framework to prevent access via unencrypted connections and restrict JavaScript access.Genzio
Ensure cookies are set with the 'Secure' and 'HttpOnly' flags in the Genzio framework to prevent unauthorized access and transmission over unencrypted connections.Gin
Set the 'Secure' and 'HttpOnly' flags for cookies in the Gin framework to prevent access via unencrypted connections and restrict JavaScript access.Gorilla
Set the 'Secure' and 'HttpOnly' flags on cookies to prevent access via unencrypted connections and restrict JavaScript access.Hapi
Ensure cookies are set with the 'secure' and 'httpOnly' flags in the Hapi framework to prevent access via unencrypted connections and mitigate the risk of JavaScript access.Hono
Ensure cookies are set with the Secure and HttpOnly flags in the Hono framework to prevent unauthorized access and transmission over unencrypted connections.Jersey
Ensure cookies are set with the 'Secure' and 'HttpOnly' flags in the Jersey framework to prevent unauthorized access and transmission over unencrypted connections.Koa
Ensure cookies are set with the 'secure' and 'httpOnly' flags in the Koa framework to prevent access via unencrypted connections and restrict JavaScript access.Ktor
Ensure cookies are set with the 'secure' and 'HttpOnly' flags in the Ktor framework to prevent access via unencrypted connections and mitigate the risk of JavaScript access.Leptos
Ensure cookies are set with the 'Secure' and 'HttpOnly' flags in the Leptos framework to prevent unauthorized access and transmission over unencrypted connections.Macaron
Ensure cookies are set with the 'Secure' and 'HttpOnly' flags in the Macaron framework to prevent access via unencrypted connections and mitigate the risk of JavaScript accessing the cookies.Phoenix
Ensure cookies are set with the 'secure' and 'httpOnly' flags in the Phoenix framework to prevent access via unencrypted connections and mitigate the risk of JavaScript accessing the cookies.Redwoodjs
Ensure cookies are set with the 'Secure' and 'HttpOnly' flags in RedwoodJS by configuring the session management settings to enhance cookie security.Rocket
Ensure cookies are set with the 'Secure' and 'HttpOnly' flags in Rocket framework to prevent access via unencrypted connections and mitigate the risk of JavaScript access.Sveltekit
Ensure cookies are set with the 'HttpOnly' and 'Secure' flags in SvelteKit by configuring the session management to prevent access via JavaScript and enforce transmission over HTTPS.Configuration¶
Identifier:
protocol/header_set_cookie
Examples¶
Ignore this check¶
Score¶
- Escape Severity:
Compliance¶
- OWASP: API7:2023
- OWASP LLM: LLM06:2023
- pci: 6.5.10
- gdpr: Article-32
- soc2: CC1
- psd2: Article-95
- iso27001: A.14.1
- nist: SP800-53
- fedramp: AC-4
Classification¶
- CWE: 614
Score¶
- CVSS_VECTOR: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
- CVSS_SCORE: 6.1