When a cookie is protected with the secure attribute set to true it will not be send by the browser over an unencrypted HTTP
request and thus cannot be observed by an unauthorized person during a man-in-the-middle attack.
There is a risk if you answered yes to any of those questions.
HTTPs everywhere so setting the secure flag to true should be the default behaviour
when creating cookies. secure flag to true for session-cookies. cookie-session module:
let session = cookieSession({
secure: false,// Sensitive
}); // Sensitive
express-session module:
const express = require('express');
const session = require('express-session');
let app = express();
app.use(session({
cookie:
{
secure: false // Sensitive
}
}));
cookies module:
let cookies = new Cookies(req, res, { keys: keys });
cookies.set('LastVisit', new Date().toISOString(), {
secure: false // Sensitive
}); // Sensitive
csurf module:
const cookieParser = require('cookie-parser');
const csrf = require('csurf');
const express = require('express');
let csrfProtection = csrf({ cookie: { secure: false }}); // Sensitive
cookie-session module:
let session = cookieSession({
secure: true,// Compliant
}); // Compliant
express-session module:
const express = require('express');
const session = require('express-session');
let app = express();
app.use(session({
cookie:
{
secure: true // Compliant
}
}));
cookies module:
let cookies = new Cookies(req, res, { keys: keys });
cookies.set('LastVisit', new Date().toISOString(), {
secure: true // Compliant
}); // Compliant
csurf module:
const cookieParser = require('cookie-parser');
const csrf = require('csurf');
const express = require('express');
let csrfProtection = csrf({ cookie: { secure: true }}); // Compliant