Skip to content

HTTP Cookies Misconfiguration

Scan IDmisconfiguration.http_cookies
SeverityInfo
CVSS 4.00.0
OWASP CategoryOWASP API8:2023 Security Misconfiguration

Cookie security flags protect session tokens and authentication cookies from theft and misuse. Missing or misconfigured flags are individually low-severity, but in combination they significantly increase the risk of session hijacking, XSS-based token theft, and cross-site attacks.

VulnAPI’s misconfiguration.http_cookies scan checks for five issues on every Set-Cookie response header:

Without HttpOnly, JavaScript running on the page (including injected scripts from XSS) can read the cookie value via document.cookie.

Set-Cookie: session=abc123 ← vulnerable
Set-Cookie: session=abc123; HttpOnly ← correct

Without Secure, the cookie is sent over unencrypted HTTP connections, exposing it to network interception (man-in-the-middle attacks).

Set-Cookie: session=abc123 ← vulnerable
Set-Cookie: session=abc123; Secure ← correct

SameSite=None without restrictions (CWE-1275)

Section titled “SameSite=None without restrictions (CWE-1275)”

SameSite=None allows the cookie to be sent in all cross-site contexts, which can enable CSRF attacks if Secure is not also set. Use SameSite=Strict or SameSite=Lax instead.

Set-Cookie: session=abc123; SameSite=None ← vulnerable
Set-Cookie: session=abc123; SameSite=Strict; Secure ← correct

Without a SameSite attribute, browsers apply the default policy (Lax in modern browsers, but None in older ones). Explicitly set SameSite to avoid relying on browser defaults.

No expiration (Expires / Max-Age missing) (CWE-613)

Section titled “No expiration (Expires / Max-Age missing) (CWE-613)”

Without an expiration, the cookie is a session cookie — it expires only when the browser tab closes. Users who do not close their browser may retain session access indefinitely.

Set-Cookie: session=abc123 ← no expiry
Set-Cookie: session=abc123; Max-Age=3600 ← expires after 1 hour
Terminal window
vulnapi scan curl [url] -H "Authorization: Bearer eyJhbGciOiJSUzUxMiI..." --scans misconfiguration.http_cookies

VulnAPI supports scanning against various types of other vulnerabilities as well.

Missing cookie flags individually represent low-severity findings, but in combination they create meaningful attack surface:

  • XSS + missing HttpOnly → attacker can steal the session token via document.cookie
  • Missing Secure → token exposed on HTTP (e.g. mixed-content pages, captive portals)
  • Missing SameSite → CSRF attacks can use the session cookie cross-origin
  • No expiration → long-lived sessions increase the window of opportunity for abuse

Set all security flags on cookies that carry session tokens or authentication data:

Set-Cookie: session=abc123; HttpOnly; Secure; SameSite=Strict; Max-Age=3600; Path=/
FlagValuePurpose
HttpOnly(flag)Prevent JavaScript access
Secure(flag)HTTPS only
SameSiteStrict or LaxRestrict cross-site sending
Max-AgesecondsSet session lifetime
Path/ or specific pathRestrict cookie scope

For single-page applications that need cross-origin cookies (e.g. separate API and frontend domains), use SameSite=None; Secure together with CSRF tokens.