DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
Go

Go

Made by DeepSource
Use Analyzer

Audit Required: Same-Site attribute improperly configured for gin session cookie GO-S1042

Security
Major
 a01 owasp top 10 cwe-1275

Same-Site: None cookies are available on cross-origin requests making the application vulnerable to CSRF (cross-site request forgery) attacks. It is recommended to use Same-Site: Lax or Same-Site: Strict depending on the application requirements.

Bad practice

package main

import (
    "net/http"

    "github.com/gin-contrib/sessions"
)

func foo(store sessions.Store) {
    store.Options(sessions.Options{SameSite: http.SameSiteNoneMode})
}

Recommended

package main

import (
    "net/http"

    "github.com/gin-contrib/sessions"
)

func foo(store sessions.Store) {
    store.Options(sessions.Options{SameSite: http.SameSiteStrictMode})
}

or

package main

import (
    "net/http"

    "github.com/gin-contrib/sessions"
)

func foo(store sessions.Store) {
    store.Options(sessions.Options{SameSite: http.SameSiteLaxMode})
}

References