Interlace ESLint
ESLint Interlace
Browser SecurityRules

browser-security/no-sensitive-cookie-js

The rule provides **LLM-optimized error messages** (Compact 2-line format) with actionable security guidance:

🔒 Disallow storing sensitive data (tokens, passwords) in cookies via JavaScript

Error Message Format

The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance:

⚠️ CWE-1004 OWASP:A02 CVSS:5.3 | Sensitive Cookie Without HttpOnly detected | MEDIUM
   Fix: Review and apply the recommended fix | https://owasp.org/Top10/A02_2021/

Message Components

ComponentPurposeExample
Risk StandardsSecurity benchmarksCWE-1004 OWASP:A02 CVSS:5.3
Issue DescriptionSpecific vulnerabilitySensitive Cookie Without HttpOnly detected
Severity & ComplianceImpact assessmentMEDIUM
Fix InstructionActionable remediationFollow the remediation steps below
Technical TruthOfficial referenceOWASP Top 10

Rule Details

This rule prevents setting sensitive cookies (authentication tokens, session IDs, etc.) via document.cookie. Cookies set through JavaScript are accessible to XSS attacks, while server-set cookies with the HttpOnly flag are protected.

Why is this dangerous?

When you set cookies via JavaScript:

  1. Any XSS attack can read the cookie via document.cookie
  2. No way to add HttpOnly flag - only the server can set it
  3. Session tokens become vulnerable to theft

Examples

❌ Incorrect

// Setting auth token in cookie via JavaScript
document.cookie = 'token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...';

// Session ID
document.cookie = 'sessionId=abc123';

// JWT
document.cookie = 'jwt=eyJ...';

// Access token
document.cookie = 'access_token=' + accessToken;

// With template literal
document.cookie = `refreshToken=${token}; Secure; SameSite=Strict`;

// Even with security attributes, still vulnerable!
document.cookie = 'authToken=xyz; Secure; SameSite=Strict';

✅ Correct

// Non-sensitive cookies are fine
document.cookie = 'theme=dark';
document.cookie = 'locale=en-US';
document.cookie = 'visited=true';

// Set auth tokens via server response:
// Server: res.cookie('token', value, {
//   httpOnly: true,
//   secure: true,
//   sameSite: 'strict'
// });

// Or use fetch to get server-set HttpOnly cookie
await fetch('/api/auth/login', {
  method: 'POST',
  credentials: 'include',
  body: JSON.stringify({ username, password }),
});
// Server sets: Set-Cookie: token=xxx; HttpOnly; Secure; SameSite=Strict

Options

{
  "browser-security/no-sensitive-cookie-js": [
    "error",
    {
      "allowInTests": true,
      "sensitivePatterns": [
        "token",
        "jwt",
        "session",
        "auth",
        "password",
        "secret",
        "api_key",
        "credential"
      ]
    }
  ]
}
OptionTypeDefaultDescription
allowInTestsbooleantrueSkip checking in test files
sensitivePatternsstring[]See belowPatterns to detect as sensitive

Default Sensitive Patterns

[
  'token',
  'jwt',
  'access_token',
  'accessToken',
  'refresh_token',
  'refreshToken',
  'id_token',
  'idToken',
  'auth',
  'session',
  'sessionId',
  'session_id',
  'password',
  'passwd',
  'secret',
  'api_key',
  'apiKey',
  'private_key',
  'privateKey',
  'credential',
  'bearer',
];

When Not To Use It

You may disable this rule if:

  • You're implementing a legacy system that requires client-side cookie management
  • You're working with non-sensitive cookies only

However, always prefer server-set HttpOnly cookies for any authentication-related data.

Express.js

res.cookie('token', jwtToken, {
  httpOnly: true, // Prevents XSS access
  secure: true, // HTTPS only
  sameSite: 'strict', // CSRF protection
  maxAge: 3600000, // 1 hour
});

NestJS

@Post('login')
login(@Res() res: Response) {
  res.cookie('token', jwtToken, {
    httpOnly: true,
    secure: true,
    sameSite: 'strict'
  });
}

Known False Negatives

The following patterns are not detected due to static analysis limitations:

Why: Computed names not analyzed.

// ❌ NOT DETECTED - Dynamic name
const name = 'authToken';
document.cookie = `${name}=${value}`;

Mitigation: Never set auth cookies client-side.

Why: Value patterns in variables not traced.

// ❌ NOT DETECTED - Value from variable
const data = jwt;
document.cookie = 'data=' + data;

Mitigation: Set auth cookies server-side.

Why: Library methods not recognized.

// ❌ NOT DETECTED - Library wrapper
js - cookie.set('token', jwt);

Mitigation: Apply rule to library implementations.

OWASP Mapping

CategoryID
OWASP Top 10 2021A02:2021 - Cryptographic Failures
CWECWE-1004
CVSS8.1 (High)

browser-security/no-postmessage-wildcard-origin

This rule prevents using `"*"` as the `targetOrigin` parameter in `postMessage()` calls. Using a wildcard allows **any window** to receive the message, potentia

no-sensitive-indexeddb

Prevent storing sensitive data in IndexedDB.

On this page

Error Message FormatMessage ComponentsRule DetailsWhy is this dangerous?Examples❌ Incorrect✅ CorrectOptionsDefault Sensitive PatternsWhen Not To Use ItServer-Side Cookie Best PracticesExpress.jsNestJSRelatedKnown False NegativesDynamic Cookie NameCookie Values from VariablesCookie Library WrappersOWASP Mapping