AWS logo
Amazon CodeGuruDetector Library

Insecure cookie Low

Insecure cookie settings can lead to unencrypted cookie transmission. Even if a cookie doesn't contain sensitive data now, it could be added later. It's good practice to transmit all cookies only through secure channels.

Detector ID
java/insecure-cookie@v1.0
Category
Common Weakness Enumeration (CWE) external icon

Noncompliant example

1public static void cookieInsecureByDefaultNoncompliant(HttpServletResponse response) {
2    Cookie cookie = new Cookie("name", "value");
3    // Noncompliant: by default, the Cookie is not secure and not httpOnly.
4    response.addCookie(cookie);
5}

Compliant example

1public static void cookieSecureCompliant(HttpServletResponse response) {
2    Cookie cookie = new Cookie("name", "value");
3    // Compliant: the Cookie is secured.
4    cookie.setSecure(true);
5    cookie.setHttpOnly(true);
6    response.addCookie(cookie);
7}