Browser SecurityRules
require-cookie-secure-attrs
Require Secure and SameSite attributes on cookies.
Require Secure and SameSite attributes on cookies.
⚠️ Security Issue
| Property | Value |
|---|---|
| CWE | CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute |
| OWASP | A05:2021 - Security Misconfiguration |
| CVSS | 6.5 (Medium) |
| Severity | MEDIUM |
📋 Description
Cookies without Secure can be transmitted over HTTP (man-in-the-middle attacks). Cookies without SameSite are vulnerable to CSRF attacks.
❌ Incorrect
// Missing both attributes
document.cookie = 'name=value';
// Missing SameSite
document.cookie = 'name=value; Secure';
// Missing Secure
document.cookie = 'name=value; SameSite=Strict';✅ Correct
// Both attributes present
document.cookie = 'name=value; Secure; SameSite=Strict';
// Lax SameSite (allows top-level GET)
document.cookie = 'name=value; Secure; SameSite=Lax';
// Server-side (preferred)
res.cookie('name', 'value', {
secure: true,
sameSite: 'strict',
});🛠️ Options
{
"rules": {
"@interlace/browser-security/require-cookie-secure-attrs": [
"error",
{
"allowInTests": true
}
]
}
}Known False Negatives
The following patterns are not detected due to static analysis limitations:
Cookie String from Variable
Why: Cookie values from variables not traced.
// ❌ NOT DETECTED - Cookie from variable
const cookie = 'name=value'; // Missing attrs
document.cookie = cookie;Mitigation: Build cookie strings with attributes inline.
Cookie Library Wrappers
Why: Library methods not recognized.
// ❌ NOT DETECTED - Library wrapper
Cookies.set('name', 'value'); // May not set SecureMitigation: Review cookie library configurations.
Conditional Attributes
Why: Dynamic conditions not evaluated.
// ❌ NOT DETECTED - Conditional attributes
const attrs = isDev ? '' : '; Secure';
document.cookie = 'name=value' + attrs;Mitigation: Always use secure attributes in production.
📚 Related Resources
Error Message Format
The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance:
⚠️ CWE-614 OWASP:A02 CVSS:5.3 | Sensitive Cookie in HTTPS without Secure detected | MEDIUM
Fix: Review and apply the recommended fix | https://owasp.org/Top10/A02_2021/Message Components
| Component | Purpose | Example |
|---|---|---|
| Risk Standards | Security benchmarks | CWE-614 OWASP:A02 CVSS:5.3 |
| Issue Description | Specific vulnerability | Sensitive Cookie in HTTPS without Secure detected |
| Severity & Compliance | Impact assessment | MEDIUM |
| Fix Instruction | Actionable remediation | Follow the remediation steps below |
| Technical Truth | Official reference | OWASP Top 10 |