Recipe Name:
Security Misconfiguration: Disabled Security Settings: CookieCsrfTokenRepository#withHttpOnlyFalse
Description:
Make sure to set HttpOnly to true to protect against CSRF or remove it
Level:
error
Language:
  • java
Tags:
  • Spring
  • security
  • framework specific
  • web
  • Spring Security
  • CSRF
  • OWASP Top 10
Documentation

Set the setCookieHttpOnly() flag to true to avoid cookies being accessible to scripts.

Cookies that are accessible to client-side scripts could be subjected to Cross-site Scripting Attacks (XSS). An attacker could steal the session cookie, and impersonate another user. Protect the application from this vulnerability by explicitly setting the setCookieHttpOnly() flag to true.

Before 
protected void configure(HttpSecurity http) throws Exception {
    http.csrf()
        .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
}
After 
protected void configure(HttpSecurity http) throws Exception {
    CookieCsrfTokenRepository csrfTokenRepository = new CookieCsrfTokenRepository();
    csrfTokenRepository.setCookieHttpOnly(true);
    http.csrf()
        .csrfTokenRepository(csrfTokenRepository);
}
References
Recipe 
id: scw:spring:csrf:CookieCsrfTokenRepository-withHttpOnlyFalse
version: 10
metadata:
  name: 'Security Misconfiguration: Disabled Security Settings: CookieCsrfTokenRepository#withHttpOnlyFalse'
  shortDescription: Make sure to set HttpOnly to true to protect against CSRF or remove it
  level: error
  language: java
  scwCategory: csrf:csrf
  cweCategory: 352
  enabled: true
  descriptionFile: descriptions/CookieCsrfTokenRepositorywithHttpOnlyFalse.html
  tags: Spring;security;framework specific;web;Spring Security;CSRF;OWASP Top 10
search:
  methodcall:
    args:
      1:
        value:
          stringified: CookieCsrfTokenRepository.withHttpOnlyFalse()
    name: csrfTokenRepository
    declaration:
      type: org.springframework.security.config.annotation.web.configurers.CsrfConfigurer
availableFixes:
- name: Set HttpOnly to true
  actions:
  - rewrite:
      to: |-
        org.springframework.security.web.csrf.CookieCsrfTokenRepository cookieCsrfTokenRepository = new org.springframework.security.web.csrf.CookieCsrfTokenRepository();
        cookieCsrfTokenRepository.setCookieHttpOnly(true);
        {{{ expressionElement }}}(cookieCsrfTokenRepository)