httponly
attribute PY-A600446@app.get("/")
47def home():
48 response = flask.make_response()
49 response.set_cookie("userid", uuid4().hex)
Cookies set without the httponly
flag can be read by a client-side script, leading to cookie theft from Cross-Site Scripting (XSS) attacks.
When a cookie is created, the default value of httponly
is False
.
It is recommended to explicitly set httponly
to True
to prevent the risk.
Cross-Site Scripting (XSS) attacks target the theft of session-cookies. If httponly
attribute is set to True
, it won't be possible to exploit the XSS vulnerability to steal session-cookies.
# The cookie is not secure here:
some_response.set_cookie('sensitive', 'some_value')
# The cookie is secure here:
some_response.set_cookie('sensitive', 'some_value', httponly=True)
While this issue mostly makes sense if you're setting a sensitive cookie, DeepSource will flag all the cookies encountered without the httponly
flag.
This is to ensure that you are aware of all the cookies being set and avoid false negatives.