DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
Rust

Rust

Made by DeepSource
Use Analyzer

Audit required: Sensitive cookie without HttpOnly attribute RS-A1003

Security
Critical
 a03 cwe-79 cwe-1004 owasp top 10

Cookies set without the HttpOnly flag can be read by a client-side script, leading to cookie theft from Cross-Site Scripting (XSS) attacks.

In past it has led to vulnerabilities such as: - CVE-2014-8958 - CVE-2008-5770

Cross-Site Scripting (XSS) attacks target the theft of cookies set by the application. Setting the HttpOnly attribute to true mitigates the possibility of XSS attacks.

Bad practice

use cookie::Cookie;

let mut c = Cookie::new("data", "sensitive value")
c.set_http_only(false);

Recommended

use cookie::Cookie;

let mut c = Cookie::new("data", "sensitive value")
c.set_http_only(true);

References