DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
Java

Java

Made by DeepSource
Use Analyzer

Cookies must not be insecure JAVA-S1003

Security
Critical
 a05 cwe-614 cwe-200 cwe-319 a07 cwe-201 sans top 25 owasp top 10

A new cookie is created without the Secure flag set to true. The Secure flag is a browser directive that prevents the cookie from being transmitted over insecure connections (http://).

Bad Practice

Cookie cookie = new Cookie("userName",userName);
response.addCookie(cookie);

Recommended

Always ensure that the Secure flag is set when creating the cookie.

Cookie cookie = new Cookie("userName",userName);
cookie.setSecure(true); // Secure flag
cookie.setHttpOnly(true);

It is also possible to ensure that this is enforced through the servlet web.xml configuration, like so (this is specific to the Servlet 3.0 API):

<web-app xmlns="http://java.sun.com/xml/ns/javaee" version="3.0">
[...]
<session-config>
 <cookie-config>
  <http-only>true</http-only>
  <secure>true</secure>
 </cookie-config>
</session-config>
</web-app>

References

  • CWE-200 - Information Exposure
  • CWE-201 - Insertion of Sensitive Information Into Sent Data
  • CWE-614 - Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
  • CWE-319 - Cleartext Transmission of Sensitive Information
  • OWASP - Secure Flag
  • OWASP Top Ten (2021) - Category A05 - Security Misconfiguration
  • OWASP Top Ten (2021) - Category A07 - Identification and Authentication Failures
  • FindSecBugs - INSECURE_COOKIE