Failure to use secure cookies¶
ID: py/insecure-cookie
Kind: problem
Security severity: 5.0
Severity: warning
Precision: high
Tags:
- security
- external/cwe/cwe-614
- external/cwe/cwe-1004
- external/cwe/cwe-1275
Query suites:
- python-code-scanning.qls
- python-security-extended.qls
- python-security-and-quality.qls
Click to see the query in the CodeQL repository
Cookies without the Secure flag set may be transmitted using HTTP instead of HTTPS, which leaves them vulnerable to reading by a third party.
Cookies without the HttpOnly flag set are accessible to JavaScript running in the same origin. In case of a Cross-Site Scripting (XSS) vulnerability, the cookie can be stolen by a malicious script.
Cookies with the SameSite attribute set to 'None' will be sent with cross-origin requests, which can be controlled by third-party JavaScript code and allow for Cross-Site Request Forgery (CSRF) attacks.
Recommendation¶
Always set secure to True or add “; Secure;” to the cookie’s raw value.
Always set httponly to True or add “; HttpOnly;” to the cookie’s raw value.
Always set samesite to Lax or Strict, or add “; SameSite=Lax;”, or “; Samesite=Strict;” to the cookie’s raw header value.