Insecure cookie settings can lead to unencrypted cookie transmission. Even if a cookie doesn't contain sensitive data now, it could be added later. It's good practice to transmit all cookies only through secure channels.
1public static void cookieInsecureByDefaultNoncompliant(HttpServletResponse response) {
2 Cookie cookie = new Cookie("name", "value");
3 // Noncompliant: by default, the Cookie is not secure and not httpOnly.
4 response.addCookie(cookie);
5}
1public static void cookieSecureCompliant(HttpServletResponse response) {
2 Cookie cookie = new Cookie("name", "value");
3 // Compliant: the Cookie is secured.
4 cookie.setSecure(true);
5 cookie.setHttpOnly(true);
6 response.addCookie(cookie);
7}