Insecure cookie settings can lead to unencrypted cookie transmission. Even if a cookie doesn't contain sensitive data now, sensitive data could be added later. It's good practice to transmit all cookies only through secure channels.
1var cookieSession = require('cookie-session')
2var express = require('express')
3var app = express()
4function insecureCookieNoncompliant() {
5 let session = app.use(cookieSession({
6 name: 'session',
7 secret: "secret",
8 // Noncompliant: setting `httpOnly` to false makes cookie insecure.
9 httpOnly: false,
10 }))
11}
1var cookieSession = require('cookie-session')
2var express = require('express')
3var app = express()
4function insecureCookieCompliant() {
5 // Compliant: by default `httpOnly` is set to true and thus makes cookie secure.
6 let session = app.use(cookieSession({
7 name: 'session',
8 secret: "secret",
9 }))
10}