include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

If you create a security-sensitive cookie in your Kotlin code:

----
val c1 = Cookie("admin", "secret")
c1.setHttpOnly(false)  // Sensitive: this sensitive cookie is created with the httponly flag set to false and so it can be stolen easily in case of XSS vulnerability
----

By default the https://docs.oracle.com/javaee/6/api/javax/servlet/http/Cookie.html#setHttpOnly(boolean)[``++HttpOnly++``] flag is set to _false:_

----
val c2 = Cookie("admin", "secret") // Sensitive: this sensitive cookie is created with the httponly flag not defined (by default set to false) and so it can be stolen easily in case of XSS vulnerability
----

== Compliant Solution

[source,kotlin]
----
val c3 = Cookie("admin", "secret")
c3.setHttpOnly(true) // Compliant: this sensitive cookie is protected against theft (HttpOnly=true)
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

'''
== Comments And Links
(visible only on this page)

include::../comments-and-links.adoc[]

endif::env-github,rspecator-view[]