Failure to use secure cookies¶
ID: py/insecure-cookieKind: problemSecurity severity: 5.0Severity: warningPrecision: highTags: - security - external/cwe/cwe-614 - external/cwe/cwe-1004 - external/cwe/cwe-1275Query suites: - python-code-scanning.qls - python-security-extended.qls - python-security-and-quality.qls
Click to see the query in the CodeQL repository
Cookies without theSecure flag set may be transmitted using HTTP instead of HTTPS, which leaves them vulnerable to reading by a third party.
Cookies without theHttpOnly flag set are accessible to JavaScript running in the same origin. In case of a Cross-Site Scripting (XSS) vulnerability, the cookie can be stolen by a malicious script.
Cookies with theSameSite attribute set to'None' will be sent with cross-origin requests, which can be controlled by third-party JavaScript code and allow for Cross-Site Request Forgery (CSRF) attacks.
Recommendation¶
Always setsecure toTrue or add “; Secure;” to the cookie’s raw value.
Always sethttponly toTrue or add “; HttpOnly;” to the cookie’s raw value.
Always setsamesite toLax orStrict, or add “; SameSite=Lax;”, or “; Samesite=Strict;” to the cookie’s raw header value.
Example¶
In the following examples, the cases marked GOOD show secure cookie attributes being set; whereas in the cases marked BAD they are not set.
fromflaskimportFlask,request,make_response,Response@app.route("/good1")defgood1():resp=make_response()resp.set_cookie("name",value="value",secure=True,httponly=True,samesite='Strict')# GOOD: Attributes are securely setreturnresp@app.route("/good2")defgood2():resp=make_response()resp.headers['Set-Cookie']="name=value; Secure; HttpOnly; SameSite=Strict"# GOOD: Attributes are securely setreturnresp@app.route("/bad1")resp=make_response()resp.set_cookie("name",value="value",samesite='None')# BAD: the SameSite attribute is set to 'None' and the 'Secure' and 'HttpOnly' attributes are set to False by default.returnresp
References¶
Detectify:Cookie lack Secure flag.
PortSwigger:TLS cookie without secure flag set.
Common Weakness Enumeration:CWE-614.
Common Weakness Enumeration:CWE-1004.
Common Weakness Enumeration:CWE-1275.