include::../description.adoc[] include::../ask-yourself.adoc[] include::../recommended.adoc[] == Sensitive Code Example If you create a security-sensitive cookie in your JAVA code: ---- Cookie c = new Cookie(COOKIENAME, sensitivedata); c.setHttpOnly(false); // Sensitive: this sensitive cookie is created with the httponly flag set to false and so it can be stolen easily in case of XSS vulnerability ---- By default the https://docs.oracle.com/javaee/6/api/javax/servlet/http/Cookie.html#setHttpOnly(boolean)[``++HttpOnly++``] flag is set to _false:_ ---- Cookie c = new Cookie(COOKIENAME, sensitivedata); // Sensitive: this sensitive cookie is created with the httponly flag not defined (by default set to false) and so it can be stolen easily in case of XSS vulnerability ---- == Compliant Solution [source,java] ---- Cookie c = new Cookie(COOKIENAME, sensitivedata); c.setHttpOnly(true); // Compliant: this sensitive cookie is protected against theft (HttpOnly=true) ---- include::../see.adoc[] ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) include::../message.adoc[] ''' == Comments And Links (visible only on this page) === on 5 Mar 2018, 16:44:11 Alexandre Gigleux wrote: Out of scope: this rule doesn't cover the case of ``++HttpOnly++`` configured properly in a web.xml: ---- true ---- === on 16 May 2018, 14:18:25 Andrei Epure wrote: Also out of scope: * https://docs.spring.io/spring-boot/docs/current/reference/html/common-application-properties.html[spring configuration] ``++server.servlet.session.cookie.http-only++`` * detecting common class that adds HttpOnly to all cookies passed around the app like Web Filter + https://github.com/ESAPI/esapi-java-legacy/blob/14e60d33207fd6a8e74151932a25b50e0de8e61b/src/main/java/org/owasp/esapi/filters/SecurityWrapperResponse.java#L78[SecurityWrapperResponse.addCookie] method of the OWASP ESAPI project (see details in this https://stackoverflow.com/questions/35421596/cookie-http-only-with-spring-security-and-servlet-2-5#35493412[SO answer]) include::../comments-and-links.adoc[] endif::env-github,rspecator-view[]