Insecure cookie Low

Insecure cookie settings can lead to unencrypted cookie transmission. Even if a cookie doesn't contain sensitive data now, it could be added later. It's good practice to transmit all cookies only through secure channels.

Detector ID
Common Weakness Enumeration (CWE) external icon

Noncompliant example

1public static void cookieInsecureByDefaultNoncompliant(HttpServletResponse response) {
2    Cookie cookie = new Cookie("name", "value");
3    // Noncompliant: by default, the Cookie is not secure and not httpOnly.
4    response.addCookie(cookie);

Compliant example

1public static void cookieSecureCompliant(HttpServletResponse response) {
2    Cookie cookie = new Cookie("name", "value");
3    // Compliant: the Cookie is secured.
4    cookie.setSecure(true);
5    cookie.setHttpOnly(true);
6    response.addCookie(cookie);