HttpOnly
attribute explicitly set to false
with CookieBuilder::http_only
118fn use_cookie_builder_without_http_only() {
119 Cookie::build("name",
120 "value").http_only(true);
121 Cookie::build("name", "value").http_only(false);122}
123
124fn header() {
HttpOnly
attribute explicitly set to false
with Cookie::set_http_only
112fn use_cookie_without_http_only() {
113 let mut c = Cookie::new("name", "value");
114 c.set_http_only(true);
115 c.set_http_only(false);116}
117
118fn use_cookie_builder_without_http_only() {
Description
Cookies set without the HttpOnly
flag can be read by a client-side script,
leading to cookie theft from Cross-Site Scripting
(XSS) attacks.
In past it has led to vulnerabilities such as: - CVE-2014-8958 - CVE-2008-5770
Cross-Site Scripting (XSS) attacks target the theft of cookies set by the
application. Setting the HttpOnly
attribute to true
mitigates the
possibility of XSS attacks.
Bad practice
use cookie::Cookie;
let mut c = Cookie::new("data", "sensitive value")
c.set_http_only(false);
Recommended
use cookie::Cookie;
let mut c = Cookie::new("data", "sensitive value")
c.set_http_only(true);