DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
Go

Go

Made by DeepSource
Use Analyzer

Non HTTP-only cookie for gin sessions GO-S1043

Security
Major
 a01 owasp top 10

A non HTTP-only cookie allows JavaScript on the page to read the session cookie, which may lead to session stealing in the case of an XSS.

Bad practice

package main

import (
    "net/http"

    "github.com/gin-contrib/sessions"
)

func foo(store sessions.Store) {
    store.Options(sessions.Options{HttpOnly: false})
}

Recommended

package main

import (
    "net/http"

    "github.com/gin-contrib/sessions"
)

func foo(store sessions.Store) {
    store.Options(sessions.Options{HttpOnly: true})
}

References