Insecure cookie High

Insecure cookie settings can lead to unencrypted cookie transmission. Even if a cookie doesn't contain sensitive data now, it could be added later. It's good practice to transmit all cookies only through secure channels.

Detector ID
python/insecure-cookie@v1.0
Category
Common Weakness Enumeration (CWE) external icon

Noncompliant example

1def secure_cookie_noncompliant():
2    from http.cookies import SimpleCookie
3    cookie = SimpleCookie()
4    cookie['sample'] = "sample_value"
5    # Noncompliant: the cookie is insecure.
6    cookie['sample']['secure'] = 0
7    print(cookie)

Compliant example

1def secure_cookie_compliant():
2    from http.cookies import SimpleCookie
3    cookie = SimpleCookie()
4    cookie['sample'] = "sample_value"
5    # Compliant: the cookie is secure.
6    cookie['sample']['secure'] = True  # compliant
7    print(cookie)