Cookie ‘Secure’ attribute is not set to true¶
ID: go/cookie-secure-not-set
Kind: problem
Security severity: 4.0
Severity: warning
Precision: high
Tags:
- security
- external/cwe/cwe-614
Query suites:
- go-code-scanning.qls
- go-security-extended.qls
- go-security-and-quality.qls
Click to see the query in the CodeQL repository
Cookies without the Secure flag set may be transmitted using HTTP instead of HTTPS. This leaves them vulnerable to being read by a third party attacker. If a sensitive cookie such as a session key is intercepted this way, it would allow the attacker to perform actions on a user’s behalf.
Recommendation¶
Set the Secure flag to true to ensure cookies are only transmitted over secure HTTPS connections.
Example¶
In the following example, in the case marked BAD, the Secure flag is set to false by default. In the case marked GOOD, the Secure flag is set to true.
package main
import (
"net/http"
)
func handlerBad(w http.ResponseWriter, r *http.Request) {
c := http.Cookie{
Name: "session",
Value: "secret",
}
http.SetCookie(w, &c) // BAD: The Secure flag is set to false by default.
}
func handlerGood(w http.ResponseWriter, r *http.Request) {
c := http.Cookie{
Name: "session",
Value: "secret",
Secure: true,
}
http.SetCookie(w, &c) // GOOD: The Secure flag is set to true.
}
References¶
MDN: Set-Cookie Header.
Detectify: Cookie lack Secure flag.
PortSwigger: TLS cookie without secure flag set.
Common Weakness Enumeration: CWE-614.