Skip to main content

Cookies with security attributes

Summary

The session cookies of web applications must have security attributes (HttpOnly, Secure, SameSite) and prefixes (e.g., __Host-).

Description

When you have web applications that handle sessions, you can use different attributes to improve the security related to the cookies that handle these sessions. The attributes HttpOnly and Secure prevent the theft of the session cookie by denying the browser visibility and access to it (even when Cross Site Scripting [XSS] attacks are used) and allow the cookie to be sent only when the request is encrypted (using HTTPS). In this manner, session theft is greatly mitigated.

Supported In

This requirement is verified in following services:

PlanSupported
Machine🟢
Squad🟢
One-Shot🟢

References

Vulnerabilities