Recipe Name:
Session configuration: Cookies: Set HttpOnly flag to true
Description:
Prevent client-side scripts from accessing the cookie by setting the HttpOnly flag to true
Level:
error
Language:
  • java
Tags:
  • Spring
  • security
  • framework specific
  • web
  • Spring Web
  • OWASP Top 10
Documentation

Cookies should be configured securely using the http-only and secure settings.

Session cookies are frequently the target of Cross-Site Scripting (XSS) attacks. By setting the setUseHttpOnlyCookie() flag to true (which is also the default setting), the cookie cannot be accessed by client-side scripts.

Before
cookie.setUseHttpOnlyCookie(false);
After
cookie.setUseHttpOnlyCookie(true);
Resources
Recipe
id: scw:spring:web:cookie-set-httponly
version: 10
metadata:
  name: 'Session configuration: Cookies: Set HttpOnly flag to true'
  shortDescription: 'Prevent client-side scripts from accessing the cookie by setting the HttpOnly flag to true '
  level: error
  language: java
  scwCategory: improper_session_handling:improper_flags_in_cookie_headers
  enabled: true
  descriptionFile: descriptions/SessionconfigurationCookiesSetHttpOnlyflagtotrue.html
  tags: Spring;security;framework specific;web;Spring Web;OWASP Top 10
search:
  methodcall:
    args:
      1:
        type: boolean
        value:
          stringified: "false"
    name: setUseHttpOnlyCookie
    type: org.springframework.session.web.http.DefaultCookieSerializer
availableFixes:
- name: Set HttpOnly to true
  actions:
  - modifyArguments:
      rewrite:
        1: "true"