Recipe Name:
Session configuration: Cookies: Set Secure flag to true
Description:
Prevent a cookie being sent over unencrypted HTTP by setting the Secure flag to true
Level:
error
Language:
  • java
Tags:
  • Spring
  • security
  • framework specific
  • web
  • Spring Web
  • OWASP Top 10
Documentation

Cookies should be configured securely using the http-only and secure settings.

Ensure the cookie is only sent over HTTPS by setting the setUseSecureCookie() flag to true. Otherwise, if a cookie is sent over an unencrypted HTTP connection, the session ID could be disclosed via a Man-in-the-Middle attack.

Before
cookie.setUseSecureCookie(false);
After
cookie.setUseSecureCookie(true);
Resources
Recipe
id: scw:spring:web:cookie-set-secure
version: 10
metadata:
  name: 'Session configuration: Cookies: Set Secure flag to true '
  shortDescription: Prevent a cookie being sent over unencrypted HTTP by setting the Secure flag to true
  level: error
  language: java
  scwCategory: improper_session_handling:improper_flags_in_cookie_headers
  enabled: true
  descriptionFile: descriptions/SessionconfigurationCookiesSetSecureflagtotrue.html
  tags: Spring;security;framework specific;web;Spring Web;OWASP Top 10
search:
  methodcall:
    args:
      1:
        type: boolean
        value:
          stringified: "false"
    name: setUseSecureCookie
    type: org.springframework.session.web.http.DefaultCookieSerializer
availableFixes:
- name: Set Secure to true
  actions:
  - modifyArguments:
      rewrite:
        1: "true"