ID: js/client-exposed-cookie Kind: problem Security severity: 5.0 Severity: warning Precision: high Tags: - security - external/cwe/cwe-1004 Query suites: - javascript-code-scanning.qls - javascript-security-extended.qls - javascript-security-and-quality.qls
Click to see the query in the CodeQL repository
Authentication cookies stored by a server can be accessed by a client if the httpOnly flag is not set.
An attacker that manages a cross-site scripting (XSS) attack can read the cookie and hijack the session.
Recommendation¶
Set the httpOnly flag on all cookies that are not needed by the client.
Example¶
The following example stores an authentication token in a cookie that can be viewed by the client.
const http = require('http'); const server = http.createServer((req, res) => { res.setHeader("Set-Cookie", `authKey=${makeAuthkey()}`); res.writeHead(200, { 'Content-Type': 'text/html' }); res.end('<h2>Hello world</h2>'); });
To force the cookie to be transmitted using SSL, set the secure attribute on the cookie.
const http = require('http'); const server = http.createServer((req, res) => { res.setHeader("Set-Cookie", `authKey=${makeAuthkey()}; secure; httpOnly`); res.writeHead(200, { 'Content-Type': 'text/html' }); res.end('<h2>Hello world</h2>'); });
References¶
ExpressJS: Use cookies securely.
OWASP: Set cookie flags appropriately.
Mozilla: Set-Cookie.
Common Weakness Enumeration: CWE-1004.