Rust

Rust

By DeepSource

Audit required: Sensitive cookie without `HttpOnly` attributeRS-A1003

Security

Cookies set without the HttpOnly flag can be read by a client-side script, leading to cookie theft from Cross-Site Scripting (XSS) attacks.

In past it has led to vulnerabilities such as: - CVE-2014-8958 - CVE-2008-5770

Cross-Site Scripting (XSS) attacks target the theft of cookies set by the application. Setting the HttpOnly attribute to true mitigates the possibility of XSS attacks.

Examples

Bad practice

use cookie::Cookie;

let mut c = Cookie::new("data", "sensitive value")
c.set_http_only(false);

Recommended

use cookie::Cookie;

let mut c = Cookie::new("data", "sensitive value")
c.set_http_only(true);

References