HTTP Cookies Misconfiguration
| Scan ID | misconfiguration.http_cookies |
|---|---|
| Severity | Info |
| CVSS 4.0 | 0.0 |
| OWASP Category | OWASP API8:2023 Security Misconfiguration |
Cookie security flags protect session tokens and authentication cookies from theft and misuse. Missing or misconfigured flags are individually low-severity, but in combination they significantly increase the risk of session hijacking, XSS-based token theft, and cross-site attacks.
Checks Performed
Section titled “Checks Performed”VulnAPI’s misconfiguration.http_cookies scan checks for five issues on every Set-Cookie response header:
HttpOnly flag missing (CWE-1004)
Section titled “HttpOnly flag missing (CWE-1004)”Without HttpOnly, JavaScript running on the page (including injected scripts from XSS) can read the cookie value via document.cookie.
Set-Cookie: session=abc123 ← vulnerableSet-Cookie: session=abc123; HttpOnly ← correctSecure flag missing (CWE-614)
Section titled “Secure flag missing (CWE-614)”Without Secure, the cookie is sent over unencrypted HTTP connections, exposing it to network interception (man-in-the-middle attacks).
Set-Cookie: session=abc123 ← vulnerableSet-Cookie: session=abc123; Secure ← correctSameSite=None without restrictions (CWE-1275)
Section titled “SameSite=None without restrictions (CWE-1275)”SameSite=None allows the cookie to be sent in all cross-site contexts, which can enable CSRF attacks if Secure is not also set. Use SameSite=Strict or SameSite=Lax instead.
Set-Cookie: session=abc123; SameSite=None ← vulnerableSet-Cookie: session=abc123; SameSite=Strict; Secure ← correctSameSite attribute not set (CWE-1275)
Section titled “SameSite attribute not set (CWE-1275)”Without a SameSite attribute, browsers apply the default policy (Lax in modern browsers, but None in older ones). Explicitly set SameSite to avoid relying on browser defaults.
No expiration (Expires / Max-Age missing) (CWE-613)
Section titled “No expiration (Expires / Max-Age missing) (CWE-613)”Without an expiration, the cookie is a session cookie — it expires only when the browser tab closes. Users who do not close their browser may retain session access indefinitely.
Set-Cookie: session=abc123 ← no expirySet-Cookie: session=abc123; Max-Age=3600 ← expires after 1 hourHow to test?
Section titled “How to test?”vulnapi scan curl [url] -H "Authorization: Bearer eyJhbGciOiJSUzUxMiI..." --scans misconfiguration.http_cookiesecho "eyJhbGciOiJSUzUxMiI..." | vulnapi scan openapi [OpenAPI_Path_Or_URL] --scans misconfiguration.http_cookiesvulnapi scan graphql -H "Authorization: Bearer eyJhbGciOiJSUzUxMiI..." --scans misconfiguration.http_cookies [url]VulnAPI supports scanning against various types of other vulnerabilities as well.
What is the impact?
Section titled “What is the impact?”Missing cookie flags individually represent low-severity findings, but in combination they create meaningful attack surface:
- XSS + missing HttpOnly → attacker can steal the session token via
document.cookie - Missing Secure → token exposed on HTTP (e.g. mixed-content pages, captive portals)
- Missing SameSite → CSRF attacks can use the session cookie cross-origin
- No expiration → long-lived sessions increase the window of opportunity for abuse
How to remediate?
Section titled “How to remediate?”Set all security flags on cookies that carry session tokens or authentication data:
Set-Cookie: session=abc123; HttpOnly; Secure; SameSite=Strict; Max-Age=3600; Path=/| Flag | Value | Purpose |
|---|---|---|
HttpOnly | (flag) | Prevent JavaScript access |
Secure | (flag) | HTTPS only |
SameSite | Strict or Lax | Restrict cross-site sending |
Max-Age | seconds | Set session lifetime |
Path | / or specific path | Restrict cookie scope |
For single-page applications that need cross-origin cookies (e.g. separate API and frontend domains), use SameSite=None; Secure together with CSRF tokens.