ajinabraham.njsscan.headers.header_cookie.cookie_session_no_secure
ajinabrahamAuthor
unknown
Download Count*
License
Default session middleware settings: secure not set. It ensures the browser only sends the cookie over HTTPS.
Run Locally
Run in CI
Defintion
rules:
- id: cookie_session_no_secure
patterns:
- pattern-either:
- pattern-inside: |
$SESSION = require('cookie-session')
...
- pattern-inside: |
$SESSION = require('express-session')
...
- pattern: $SESSION(...)
- pattern-not-inside: $SESSION(<... {cookie:{secure:true}} ...>,...)
- pattern-not-inside: |
$OPTS = <... {cookie:{secure:true}} ...>;
...
$SESSION($OPTS,...)
- pattern-not-inside: |
$OPTS = ...;
...
$COOKIE = <... {secure:true} ...>;
...
$SESSION($OPTS,...)
- pattern-not-inside: |
$OPTS = ...;
...
$OPTS.cookie = <... {secure:true} ...>;
...
$SESSION($OPTS,...)
- pattern-not-inside: |
$OPTS = ...;
...
$COOKIE.secure = true;
...
$SESSION($OPTS,...)
- pattern-not-inside: |
$OPTS = ...;
...
$OPTS.cookie.secure = true;
...
$SESSION($OPTS,...)
message: "Default session middleware settings: `secure` not set. It ensures the
browser only sends the cookie over HTTPS."
severity: WARNING
languages:
- javascript
metadata:
cwe: cwe-614
owasp-web: a2
license: LGPL-3.0-or-later
vulnerability_class:
- Other
Short Link: https://sg.run/1lNv