Sensitive cookie missing HttpOnly attribute — CodeQL query help documentation

Recommendation¶

Set httponly to True, or add ; HttpOnly; to the cookie’s raw header value, to ensure that the cookie is not accessible via JavaScript.

Example¶

In the following examples, the cases marked GOOD show secure cookie attributes being set; whereas in the case marked BAD they are not set.

from flask import Flask, request, make_response, Response


@app.route("/good1")
def good1():
    resp = make_response()
    resp.set_cookie("sessionid", value="value", secure=True, httponly=True, samesite='Strict') # GOOD: Attributes are securely set
    return resp


@app.route("/good2")
def good2():
    resp = make_response()
    resp.headers['Set-Cookie'] = "sessionid=value; Secure; HttpOnly; SameSite=Strict" # GOOD: Attributes are securely set 
    return resp

@app.route("/bad1")
def bad1():
    resp = make_response()
    resp.set_cookie("sessionid", value="value", samesite='None') # BAD: the SameSite attribute is set to 'None' and the 'Secure' and 'HttpOnly' attributes are set to False by default.
    return resp

References¶

PortSwigger: Cookie without HttpOnly flag set
MDN: Set-Cookie.
Common Weakness Enumeration: CWE-1004.