Skip to content

HTTP Cookies Analyzer

Configuration Name: Cookies

Description

The Cookies analyzer checks for security best practices in Set-Cookie response headers.

  • Runs on every response containing cookies.
  • Does not generate requests but inspects existing responses.
  • Findings are reported as target-scoped, meaning they are not associated with a particular operation to minimize duplicate findings when all operations use the same headers.

Checks Performed

The Cookies analyzer validates that all cookies follow security best practices:

Check Expected Value / Condition Purpose
Cookie name has __Host- prefix Must be present Ensures cookie is restricted to HTTPS and a specific origin.
Cookie must have HttpOnly attribute Must be present Prevents client-side JavaScript access, mitigating XSS attacks.
Cookie must have Path=/ attribute Must be set to / Limits cookie scope to the entire domain to prevent path confusion attacks.
Cookie must have SameSite attribute Must be present Controls cross-site cookie behavior to prevent CSRF attacks.
Cookie must have Secure attribute Must be present Ensures cookie is transmitted only over HTTPS.

Faults Reported

Findings are reported when an API response contains a Set-Cookie header that does not comply with security best practices.

Fault Identifier Title Summary Solution Severity
CWE-693 Cookies Best Practices An HTTP cookie in a Set-Cookie response header did not comply with security best practices. Modify the API implementation or API gateway to set appropriate cookie values in each response. Medium

Rule Evaluation

  • The analyzer inspects each API response for the presence and correctness of Set-Cookie attributes.
  • If a required cookie attribute is missing or incorrectly configured, a finding is reported.
  • Findings are target-scoped to avoid redundant reports when multiple operations use the same cookie settings.

Example Scenario

Example HTTP Response with Cookie Security Issues:

HTTP/1.1 200 OK
Set-Cookie: sessionid=abc123; Path=/; Secure

Findings Would Be Reported For

If an API response contains a Set-Cookie header that does not comply with security best practices, findings would be reported for:

  • Missing HttpOnly attribute

    • Example: Set-Cookie: sessionid=abc123; Path=/; Secure
    • Issue: The cookie is accessible via JavaScript, making it vulnerable to cross-site scripting (XSS) attacks.

  • Missing Secure attribute

    • Example: Set-Cookie: sessionid=abc123; Path=/; HttpOnly
    • Issue: The cookie can be transmitted over insecure HTTP connections, exposing it to network interception.

  • Missing SameSite attribute

    • Example: Set-Cookie: sessionid=abc123; Path=/; Secure; HttpOnly
    • Issue: The cookie lacks cross-site request forgery (CSRF) protection.

  • Missing Path=/ attribute

    • Example: Set-Cookie: sessionid=abc123; Secure; HttpOnly; SameSite=Strict
    • Issue: The cookie does not explicitly define its scope, which could lead to inconsistent behavior in different parts of the application.

  • Missing __Host- prefix for sensitive cookies

    • Example: Set-Cookie: sessionid=abc123; Path=/; Secure; HttpOnly; SameSite=Strict
    • Issue: The cookie is not restricted to a single secure origin, making it more susceptible to misuse.

Remediation Steps

To ensure API responses adhere to cookie security best practices, follow these remediation steps:

  1. Ensure All Required Cookie Attributes Are Set

    • Use the __Host- prefix for sensitive cookies to restrict them to a secure origin.
    • Set the HttpOnly attribute to prevent JavaScript access and mitigate XSS attacks.
    • Set the Path=/ attribute to properly define the cookie’s scope.
    • Set the SameSite attribute to Strict or Lax to prevent CSRF attacks.
    • Set the Secure attribute to ensure cookies are only transmitted over HTTPS.

  2. Update API Gateway or Server Configuration

    • Ensure that the API gateway or backend enforces secure cookie policies.
    • Review framework-specific cookie settings (e.g., Flask, Express, Spring Security).
    • Implement security headers at the gateway level if applicable.

  3. Monitor and Audit Cookie Usage

    • Log and review Set-Cookie headers in API responses to detect missing or incorrect attributes.
    • Implement security monitoring tools to detect improper cookie configurations.
    • Use security scanning tools to identify cookies that do not comply with best practices.

  4. Test for Cookie Security Issues

    • Perform automated security tests to validate cookie attributes.
    • Use browser developer tools (e.g., Chrome DevTools) to inspect Set-Cookie headers and confirm compliance.
    • Conduct penetration testing to check if cookies are exposed or misconfigured.