diff options
Diffstat (limited to 'doc/user/application_security/dast/checks/614.1.md')
-rw-r--r-- | doc/user/application_security/dast/checks/614.1.md | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/doc/user/application_security/dast/checks/614.1.md b/doc/user/application_security/dast/checks/614.1.md new file mode 100644 index 00000000000..74ac73935f1 --- /dev/null +++ b/doc/user/application_security/dast/checks/614.1.md @@ -0,0 +1,40 @@ +--- +stage: Secure +group: Dynamic Analysis +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments +--- + +# Sensitive cookie without `Secure` attribute + +## Description + +The {cookie_name} cookie was transmitted in a `Set-Cookie` response without the `Secure` attribute set. +To prevent sensitive cookie values being accidentally transmitted over clear-text HTTP we +recommended that cookies are declared with the `Secure` attribute. + +## Remediation + +Most web application frameworks allow configuring how cookies are sent to user agents. Consult your framework's +documentation for more information on how to enable various security attributes when assigning cookies to clients. + +If the application is assigning cookies via writing to the response headers directly, ensure all responses include +the `Secure` attribute. By enabling this protection, the application will no longer send sensitive cookies over +HTTP. + +Example: + +```http +Set-Cookie: {cookie_name}=<random secure value>; Secure +``` + +## Details + +| ID | Aggregated | CWE | Type | Risk | +|:---|:--------|:--------|:--------|:--------| +| 614.1 | false | 614 | Passive | Low | + +## Links + +- [owasp](https://owasp.org/www-community/controls/SecureCookieAttribute) +- [cwe](https://cwe.mitre.org/data/definitions/614.html) +- [Mozilla MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies) |