JavaScript

JavaScript

Made by DeepSource

Audit: Insecure cookie JS-D015

Security
Major
Autofix a02 cwe-614 cwe-311 cwe-315 sans top 25 owasp top 10

Configuring the server to set insecure cookie configurations can lead to attacks like cookie hijacking, information leaks, and session hijacking.

This issue checks configurations for the following packages:

Bad Practice

// cookie-session
import cookieSession from 'cookie-session'
const session = cookieSession({ secure: false }) 

// express-session
import express from 'express'
import session from 'express-session'

const app = express()
app.use(session({ cookie: { secure: false } }))

// cookies
const Cookies = require('cookies');
const cookies = new Cookies(req, res, { keys: keys })

cookies.set('LastVisit', new Date().toISOString(), {
  secure: false // Sensitive
}) 


// csurf
const cookieParser = require('cookie-parser')
const csrf = require('csurf')
const express = require('express')

const csrfProtection = csrf({ cookie: { secure: false } }) // Sensitive

Recommended

// cookie-session
import cookieSession from 'cookie-session'
const session = cookieSession({ secure: true }) 


// express-session
import express from 'express'
import session from 'express-session'

const app = express()
app.use(session({ cookie: { secure: true } }))

// cookies
const Cookies = require('cookies');
const cookies = new Cookies(req, res, { keys: keys })

cookies.set('LastVisit', new Date().toISOString(), {
  secure: true
}) 


// csurf
const cookieParser = require('cookie-parser')
const csrf = require('csurf')
const express = require('express')

const csrfProtection = csrf({ cookie: { secure: true } })

References