Cookie Security
Description
A cookie has been set without any secure flag, which means that the cookie can be accessed via unencrypted connections or that JavaScript code can access the cookie. If a malicious script runs on this page, then the cookie will be accessible and can be transmitted to another hacker-controlled site. If this is a session cookie, then session hijacking may be possible.
Remediation
Whenever a cookie contains sensitive information or is a session token, it should always be passed using an encrypted channel.
Set HttpOnly, SameSite and Secure directives in Set-Cookie header.
GraphQL Specific
Apollo
Ensure that the Apollo framework engine is configured to set secure, HttpOnly, and SameSite attributes for all cookies. Secure attributes ensure cookies are sent over HTTPS, HttpOnly prevents JavaScript access to cookies, reducing the risk of cross-site scripting attacks, and SameSite attributes prevent the browser from sending cookies along with cross-site requests. Additionally, consider implementing a strong cookie policy that defines the scope and lifetime of cookies to minimize exposure to potential vulnerabilities.
Yoga
Ensure that the Yoga framework engine is configured to set secure, HttpOnly, and SameSite attributes for all cookies. Secure attributes ensure cookies are sent over HTTPS, HttpOnly prevents JavaScript access to cookies, reducing the risk of cross-site scripting attacks, and SameSite attributes prevent the browser from sending cookies along with cross-site requests. Additionally, consider implementing a Content Security Policy (CSP) to further mitigate the risk of XSS attacks.
Awsappsync
Ensure that cookies used by AWS AppSync for authentication and session management are secured with appropriate flags such as 'Secure', 'HttpOnly', and 'SameSite'. Set the 'Secure' flag to ensure cookies are sent over HTTPS connections only. Use the 'HttpOnly' flag to prevent access to cookie data via JavaScript. Apply the 'SameSite' attribute with a value of 'Strict' or 'Lax' to mitigate the risk of cross-site request forgery (CSRF) attacks. Regularly review and validate the configuration to maintain strong cookie security.
Graphqlgo
For enhancing cookie security in a GraphQL Go framework engine, ensure that cookies used for sensitive operations like session handling are flagged with secure attributes. Set 'HttpOnly' to prevent client-side script access to the cookie, 'Secure' to ensure transmission over HTTPS, and consider 'SameSite' attributes to mitigate CSRF attacks. Additionally, implement proper cookie expiration and rotation policies.
Graphqlruby
In the GraphQL Ruby framework, ensure that cookies used for session management or sensitive data storage are secure by setting the 'secure' flag, which ensures cookies are sent over HTTPS only. Additionally, set the 'HttpOnly' flag to prevent client-side scripts from accessing the cookie data. Implement 'SameSite' attribute to mitigate CSRF attacks. Regularly update the framework and dependencies to incorporate security patches. Use middleware for cookie management to abstract security complexities and ensure consistent application of these security measures across your application.
Hasura
Ensure that the Hasura engine's cookie settings include secure attributes and HttpOnly flags. Set the 'SameSite' attribute to 'Strict' or 'Lax' to mitigate CSRF attacks. Regularly update the Hasura engine to incorporate security patches for cookie handling.
REST Specific
Asp_net
In the ASP.NET framework, ensure that cookies, especially those containing sensitive information or used for session management, have the 'Secure' flag set. This can be done by setting the 'Secure' property to 'true' on the HttpCookie object before adding it to the response. Additionally, set the 'HttpOnly' flag to 'true' to prevent client-side scripts from accessing the cookie. This can help mitigate the risk of cookie theft via cross-site scripting (XSS) attacks.
Ruby_on_rails
In Ruby on Rails, ensure that cookies containing sensitive information are set with the 'secure' flag to prevent transmission over non-HTTPS connections. Additionally, use the 'http_only' flag to prevent client-side scripts from accessing the cookie. This can be implemented by setting 'secure: true' and 'http_only: true' in the cookie options. For example: cookies[:user_session] = { value: 'session_token', secure: true, http_only: true }.
Next_js
Ensure that all cookies in your Next.js application are set with the 'Secure' attribute, which ensures they are only sent over HTTPS. Additionally, use the 'HttpOnly' attribute to prevent JavaScript access to the cookies, mitigating the risk of cross-site scripting (XSS) attacks. Implement these attributes in your server-side code where cookies are set, and consider using the 'next-cookies' library or similar middleware for better cookie management.
Laravel
In Laravel, ensure that cookies are set with the 'secure' flag by using the 'secure' option in your config/session.php configuration file. Set 'secure' to 'true' to enforce cookies to be sent over HTTPS only. Additionally, use the 'http_only' option to prevent JavaScript access to session cookies, mitigating the risk of client-side script attacks.
Express_js
In Express.js, ensure that cookies are set with the 'secure' flag and, if applicable, the 'httpOnly' flag to prevent access over unencrypted connections and to mitigate the risk of client-side script access. Use the 'cookie-parser' middleware to manage cookies and set these flags appropriately when setting cookies. For example, res.cookie('name', 'value', { secure: true, httpOnly: true });
Django
In Django, ensure that the 'SESSION_COOKIE_SECURE' setting is set to True so that the session cookie is marked as 'secure' and transmitted only over HTTPS. Additionally, set 'CSRF_COOKIE_SECURE' to True to secure the CSRF cookie. Use 'SESSION_COOKIE_HTTPONLY' to prevent JavaScript access to session cookies. These settings help mitigate the risk of cookie theft via man-in-the-middle attacks or XSS.
Symfony
In Symfony, ensure that all cookies, especially session cookies, are set with the 'secure' flag and the 'httpOnly' flag. This can be done by configuring the framework's session settings in the 'config/packages/framework.yaml' file. Set 'cookie_secure' to 'auto' or 'true' to enforce cookies over HTTPS, and 'cookie_httponly' to 'true' to prevent JavaScript access. For example: 'session: { cookie_secure: true, cookie_httponly: true }'. Additionally, review and update any manual setcookie() calls to include these flags.
Spring_boot
In Spring Boot, ensure that cookies, especially session cookies, are secured by setting the 'secure' flag to true. This can be done by configuring the server.session.cookie.secure property in the application.properties or application.yml file. Additionally, set the 'HttpOnly' flag to prevent JavaScript access to the cookie. For example, in application.properties, add server.servlet.session.cookie.secure=true and server.servlet.session.cookie.http-only=true to enforce these security measures.
Flask
In Flask, ensure that cookies are set with the 'secure' flag by using the 'set_cookie' method with 'secure=True'. Additionally, set the 'HttpOnly' flag to prevent JavaScript access by using 'httponly=True'. For example: 'response.set_cookie('cookie_name', 'cookie_value', secure=True, httponly=True)'. This will help protect against interception and access by unauthorized parties.
Nuxt
In Nuxt.js, ensure that all cookies are set with the 'secure' flag to enforce transmission over encrypted connections. Additionally, use the 'httpOnly' flag to prevent JavaScript access to the cookie. This can be achieved by configuring the cookie settings in your application's middleware or by using libraries such as 'cookie-universal-nuxt' for server-side cookie handling. Always validate and sanitize inputs to mitigate the risk of XSS attacks, which can lead to cookie theft.
Fastapi
In FastAPI, ensure that cookies are set with the 'secure' flag by using the 'response.set_cookie' method with the 'secure=True' parameter. Additionally, set the 'httponly=True' parameter to prevent JavaScript access to the cookie. This will help protect the cookie during transmission over unencrypted connections and from access by client-side scripts.
Configuration
Identifier:
protocol/header_set_cookie
Examples
Ignore this check
checks:
protocol/header_set_cookie:
skip: true
Score
- Escape Severity: LOW
Compliance
- OWASP: API7:2023
- pci: 6.5.10
- gdpr: Article-32
- soc2: CC1
- psd2: Article-95
- iso27001: A.14.1
- nist: SP800-53
- fedramp: AC-4