Q
Detector Library
Kotlin detectors (23/23)
Insecure cookieCookie Without Http Only FlagImproper AuthenticationCryptographic key generatorWeak pseudorandom number generationPath traversalCross-site scriptingReusing Nonce and key in encryptionCode InjectionServer-side request forgeryCross-site request forgeryLog injectionHardcoded credentialsEnabling and overriding debug featureNull Pointer DereferenceInsecure hashingMissing encryption of sensitive dataImproper verification of IntentInsecure connection using unencrypted protocolOS Command InjectionInsecure Bean ValidationSQL injectionIncorrect Type Conversion
Insecure cookie High
Insecure cookie settings can lead to unencrypted cookie transmission. Even if a cookie doesn't contain sensitive data now, sensitive data could be added later. It's good practice to transmit all cookies only through secure channels.
Detector ID
kotlin/insecure-cookie@v1.0
Category
Noncompliant example
1// Noncompliant: The `setSecure` attribute of a cookie is set to `false`
2fun noncompliant() {
3 var cookie: Cookie = Cookie("cookie", value)
4 cookie.setSecure(false)
5 cookie.setHttpOnly(false)
6 response.addCookie(cookie)
7}
Compliant example
1// Compliant: The `setSecure` attribute of a cookie is set to `true`
2fun compliant(@RequestParam value: String, response: HttpServletResponse) {
3 var cookie: Cookie = Cookie("cookie", value)
4 cookie.setSecure(true)
5 cookie.setHttpOnly(true)
6 response.addCookie(cookie)
7}