All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.sonar.l10n.javascript.rules.javascript.S2092.html Maven / Gradle / Ivy

Go to download

There is a newer version: 10.17.0.28100
Show newest version
When a cookie is protected with the secure attribute set to true it will not be send by the browser over an unencrypted HTTP
request and thus cannot be observed by an unauthorized person during a man-in-the-middle attack.


Ask Yourself Whether


    
  
  •  the cookie is for instance a session-cookie not designed to be sent over non-HTTPS communication. 
    • 
  
  •  it’s not sure that the website contains mixed content or not
  (ie HTTPS everywhere or not) 
    • 



There is a risk if you answered yes to any of those questions.


Recommended Secure Coding Practices


    
  
  •  It is recommended to use HTTPs everywhere so setting the secure flag to true should be the default behaviour
  when creating cookies. 
    • 
  
  •  Set the secure flag to true for session-cookies. 
    • 



Sensitive Code Example


cookie-session module:


let session = cookieSession({
  secure: false,// Sensitive
});  // Sensitive



express-session module:


const express = require('express');
const session = require('express-session');

let app = express();
app.use(session({
  cookie:
  {
    secure: false // Sensitive
  }
}));



cookies module:


let cookies = new Cookies(req, res, { keys: keys });

cookies.set('LastVisit', new Date().toISOString(), {
  secure: false // Sensitive
}); // Sensitive



csurf module:


const cookieParser = require('cookie-parser');
const csrf = require('csurf');
const express = require('express');

let csrfProtection = csrf({ cookie: { secure: false }}); // Sensitive



Compliant Solution


cookie-session module:


let session = cookieSession({
  secure: true,// Compliant
});  // Compliant



express-session module:


const express = require('express');
const session = require('express-session');

let app = express();
app.use(session({
  cookie:
  {
    secure: true // Compliant
  }
}));



cookies module:


let cookies = new Cookies(req, res, { keys: keys });

cookies.set('LastVisit', new Date().toISOString(), {
  secure: true // Compliant
}); // Compliant



csurf module:


const cookieParser = require('cookie-parser');
const csrf = require('csurf');
const express = require('express');

let csrfProtection = csrf({ cookie: { secure: true }}); // Compliant



See




© 2015 - 2024 Weber Informatics LLC | Privacy Policy