Audit: Insecure cookie JS-D015
Security
Major
Autofix
a02
cwe-614
cwe-311
cwe-315
sans top 25
owasp top 10
Configuring the server to set insecure cookie configurations can lead to attacks like cookie hijacking, information leaks, and session hijacking.
This issue checks configurations for the following packages:
Bad Practice
// cookie-session
import cookieSession from 'cookie-session'
const session = cookieSession({ secure: false })
// express-session
import express from 'express'
import session from 'express-session'
const app = express()
app.use(session({ cookie: { secure: false } }))
// cookies
const Cookies = require('cookies');
const cookies = new Cookies(req, res, { keys: keys })
cookies.set('LastVisit', new Date().toISOString(), {
secure: false // Sensitive
})
// csurf
const cookieParser = require('cookie-parser')
const csrf = require('csurf')
const express = require('express')
const csrfProtection = csrf({ cookie: { secure: false } }) // Sensitive
Recommended
// cookie-session
import cookieSession from 'cookie-session'
const session = cookieSession({ secure: true })
// express-session
import express from 'express'
import session from 'express-session'
const app = express()
app.use(session({ cookie: { secure: true } }))
// cookies
const Cookies = require('cookies');
const cookies = new Cookies(req, res, { keys: keys })
cookies.set('LastVisit', new Date().toISOString(), {
secure: true
})
// csurf
const cookieParser = require('cookie-parser')
const csrf = require('csurf')
const express = require('express')
const csrfProtection = csrf({ cookie: { secure: true } })