rspec/rules/S3330/csharp/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

For example In C# you can specify the HttpOnly flag for https://docs.microsoft.com/en-us/dotnet/api/system.web.httpcookie?view=netframework-4.8[HttpCookie] object.


----
HttpCookie myCookie = new HttpCookie("Sensitive cookie");
myCookie.HttpOnly = false;  // Sensitive:  this sensitive cookie is created with the httponly flag set to false and so it can be stolen easily in case of XSS vulnerability
----

The https://docs.microsoft.com/en-us/dotnet/api/system.web.httpcookie.httponly?view=netframework-4.8[default value] of ``++secure++`` flag is false:

----
HttpCookie myCookie = new HttpCookie("Sensitive cookie"); 
// Sensitive: this sensitive cookie is created with the httponly flag not defined (by default set to false)  and so it can be stolen easily in case of XSS vulnerability
----

== Compliant Solution

----
HttpCookie myCookie = new HttpCookie("Sensitive cookie");
myCookie.HttpOnly = true; // Compliant: the sensitive cookie is protected against theft thanks to the HttpOnly property set to true (HttpOnly = true)
----

include::../see.adoc[]
Add rules 3000-3999 2020-06-30 12:48:39 +02:00			`include::../description.adoc[]`

			`include::../ask-yourself.adoc[]`

			`include::../recommended.adoc[]`

			`== Sensitive Code Example`

			`For example In C# you can specify the HttpOnly flag for https://docs.microsoft.com/en-us/dotnet/api/system.web.httpcookie?view=netframework-4.8[HttpCookie] object.`

Force linebreaks 2021-02-02 15:02:10 +01:00
Add rules 3000-3999 2020-06-30 12:48:39 +02:00			`----`
			`HttpCookie myCookie = new HttpCookie("Sensitive cookie");`
			`myCookie.HttpOnly = false; // Sensitive: this sensitive cookie is created with the httponly flag set to false and so it can be stolen easily in case of XSS vulnerability`
			`----`

make in-line code blocks verbatim 2021-01-27 13:42:22 +01:00			The https://docs.microsoft.com/en-us/dotnet/api/system.web.httpcookie.httponly?view=netframework-4.8[default value] of ``++secure++`` flag is false:
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 3000-3999 2020-06-30 12:48:39 +02:00			`----`
			`HttpCookie myCookie = new HttpCookie("Sensitive cookie");`
			`// Sensitive: this sensitive cookie is created with the httponly flag not defined (by default set to false) and so it can be stolen easily in case of XSS vulnerability`
			`----`

			`== Compliant Solution`

			`----`
			`HttpCookie myCookie = new HttpCookie("Sensitive cookie");`
			`myCookie.HttpOnly = true; // Compliant: the sensitive cookie is protected against theft thanks to the HttpOnly property set to true (HttpOnly = true)`
			`----`

			`include::../see.adoc[]`