1 files changed, 41 insertions, 0 deletions

diff --git a/doc/user/application_security/dast/checks/1004.1.md b/doc/user/application_security/dast/checks/1004.1.md
new file mode 100644
index 00000000000..cbbcea1d34d
--- /dev/null
+++ b/doc/user/application_security/dast/checks/1004.1.md
@@ -0,0 +1,41 @@
+---
+stage: Secure
+group: Dynamic Analysis
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
+---
+
+# Sensitive cookie without `HttpOnly` attribute
+
+## Description
+
+The {cookie_name} cookie was transmitted in a `Set-Cookie` header without the `HttpOnly` attribute set.
+To prevent JavaScript being able to access the cookie value - usually via `document.cookies` - all
+cookies that are used for authorization or contain sensitive information should have the `HttpOnly` attribute
+set.
+
+## Remediation
+
+Most web application frameworks allow configuring how cookies are sent to user-agents. Consult your framework's
+documentation for more information on how to enable various security directives when assigning cookies to clients.
+
+If the application is assigning cookies via writing to the response headers directly, ensure all responses include
+the `HttpOnly` attribute. By enabling this protection, the application is able to mitigate the impact of
+certain Cross-Site Scripting (XSS) attacks.
+
+Example:
+
+```http
+Set-Cookie: {cookie_name}=<random secure value>; HttpOnly
+```
+
+## Details
+
+| ID | Aggregated | CWE | Type | Risk |
+|:---|:--------|:--------|:--------|:--------|
+| 1004.1 | false | 1004 | Passive | Low |
+
+## Links
+
+- [owasp](https://owasp.org/www-community/HttpOnly)
+- [cwe](https://cwe.mitre.org/data/definitions/1004.html)
+- [Mozilla MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies)