Session configuration: Cookies: Set HttpOnly flag to true :: Recipe Details

Recipe Name:

Session configuration: Cookies: Set HttpOnly flag to true

Description:

Prevent client-side scripts from accessing the cookie by setting the HttpOnly flag to true

Level:

error

Language:

java

Tags:

Spring
security
framework specific
web
Spring Web
OWASP Top 10

Documentation

Cookies should be configured securely using the http-only and secure settings.

Session cookies are frequently the target of Cross-Site Scripting (XSS) attacks. By setting the setUseHttpOnlyCookie() flag to true (which is also the default setting), the cookie cannot be accessed by client-side scripts.

Before

cookie.setUseHttpOnlyCookie(false);

After

cookie.setUseHttpOnlyCookie(true);

Resources

OWASP - Session Management Cheat Sheet - HttpOnly

Recipe

id: scw:spring:web:cookie-set-httponly
version: 10
metadata:
  name: 'Session configuration: Cookies: Set HttpOnly flag to true'
  shortDescription: 'Prevent client-side scripts from accessing the cookie by setting the HttpOnly flag to true '
  level: error
  language: java
  scwCategory: improper_session_handling:improper_flags_in_cookie_headers
  enabled: true
  descriptionFile: descriptions/SessionconfigurationCookiesSetHttpOnlyflagtotrue.html
  tags: Spring;security;framework specific;web;Spring Web;OWASP Top 10
search:
  methodcall:
    args:
      1:
        type: boolean
        value:
          stringified: "false"
    name: setUseHttpOnlyCookie
    type: org.springframework.session.web.http.DefaultCookieSerializer
availableFixes:
- name: Set HttpOnly to true
  actions:
  - modifyArguments:
      rewrite:
        1: "true"