• Home
• org.sonarsource.javascript
• javascript-checks
• 10.16.0.27621
• source code
• S3330.html

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.sonar.l10n.javascript.rules.javascript.S3330.html Maven / Gradle / Ivy

When a cookie is configured with the HttpOnly attribute set to true, the browser guaranties that no client-side script will
be able to read it. In most cases, when a cookie is created, the default value of HttpOnly is false and it’s up to the developer
to decide whether or not the content of the cookie can be read by the client-side script. As a majority of Cross-Site Scripting (XSS) attacks target
the theft of session-cookies, the HttpOnly attribute can help to reduce their impact as it won’t be possible to exploit the XSS
vulnerability to steal session-cookies.
Ask Yourself Whether

  
 the cookie is sensitive, used to authenticate the user, for instance a session-cookie 
  
 the HttpOnly attribute offer an additional protection (not the case for an XSRF-TOKEN cookie / CSRF token for example)
  

There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices

  
 By default the HttpOnly flag should be set to true for most of the cookies and it’s mandatory for session /
  sensitive-security cookies. 

Sensitive Code Example
cookie-session module:
let session = cookieSession({
  httpOnly: false,// Sensitive
});  // Sensitive

express-session module:
const express = require('express'),
const session = require('express-session'),

let app = express()
app.use(session({
  cookie:
  {
    httpOnly: false // Sensitive
  }
})),

cookies module:
let cookies = new Cookies(req, res, { keys: keys });

cookies.set('LastVisit', new Date().toISOString(), {
  httpOnly: false // Sensitive
}); // Sensitive

csurf module:
const cookieParser = require('cookie-parser');
const csrf = require('csurf');
const express = require('express');

let csrfProtection = csrf({ cookie: { httpOnly: false }}); // Sensitive

Compliant Solution
cookie-session module:
let session = cookieSession({
  httpOnly: true,// Compliant
});  // Compliant

express-session module:
const express = require('express');
const session = require('express-session');

let app = express();
app.use(session({
  cookie:
  {
    httpOnly: true // Compliant
  }
}));

cookies module:
let cookies = new Cookies(req, res, { keys: keys });

cookies.set('LastVisit', new Date().toISOString(), {
  httpOnly: true // Compliant
}); // Compliant

csurf module:
const cookieParser = require('cookie-parser');
const csrf = require('csurf');
const express = require('express');

let csrfProtection = csrf({ cookie: { httpOnly: true }}); // Compliant

See

  
 OWASP - Top 10 2021 Category A5 - Security Misconfiguration 
  
 OWASP HttpOnly 
  
 OWASP - Top 10 2017 Category A7 - Cross-Site Scripting
  (XSS) 
  
 CWE - CWE-1004 - Sensitive Cookie Without 'HttpOnly' Flag 
  
 Derived from FindSecBugs rule HTTPONLY_COOKIE 
  
 STIG Viewer - Application Security and
  Development: V-222575 - The application must set the HTTPOnly flag on session cookies.