no-insecure-cookie-options
**Severity:** � High
Require secure cookie flags (httpOnly, secure, sameSite)
Severity: 🔴 High
CWE: CWE-614
Error Message Format
The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance:
⚠️ CWE-614 OWASP:A02 CVSS:5.3 | Sensitive Cookie in HTTPS without Secure detected | MEDIUM
Fix: Review and apply the recommended fix | https://owasp.org/Top10/A02_2021/Message Components
| Component | Purpose | Example |
|---|---|---|
| Risk Standards | Security benchmarks | CWE-614 OWASP:A02 CVSS:5.3 |
| Issue Description | Specific vulnerability | Sensitive Cookie in HTTPS without Secure detected |
| Severity & Compliance | Impact assessment | MEDIUM |
| Fix Instruction | Actionable remediation | Follow the remediation steps below |
| Technical Truth | Official reference | OWASP Top 10 |
Rule Details
This rule detects cookies set without proper security flags. Missing flags can expose sensitive cookie data to XSS attacks, man-in-the-middle attacks, and CSRF.
Required flags:
httpOnly: true- Prevents JavaScript access (XSS protection)secure: true- Cookie only sent over HTTPSsameSite: 'strict'or'lax'- CSRF protection
Examples
❌ Incorrect
// No options - VULNERABLE
res.cookie('session', token);
// Missing httpOnly - VULNERABLE to XSS
res.cookie('session', token, { secure: true });
// sameSite: 'none' - VULNERABLE to CSRF
res.cookie('session', token, {
httpOnly: true,
secure: true,
sameSite: 'none',
});✅ Correct
// All security flags set - SAFE
res.cookie('session', token, {
httpOnly: true,
secure: true,
sameSite: 'strict',
});
// Lax is acceptable for most use cases
res.cookie('session', token, {
httpOnly: true,
secure: true,
sameSite: 'lax',
});Options
| Option | Type | Default | Description |
|---|---|---|---|
allowInTests | boolean | false | Allow insecure cookies in test files |
requireHttpOnly | boolean | true | Require httpOnly flag |
requireSecure | boolean | true | Require secure flag |
requireSameSite | boolean | true | Require sameSite flag |
acceptableSameSiteValues | string[] | ['strict', 'lax'] | Acceptable sameSite values |
{
"rules": {
"express-security/no-insecure-cookie-options": [
"error",
{
"requireHttpOnly": true,
"requireSecure": true,
"acceptableSameSiteValues": ["strict"]
}
]
}
}When Not To Use It
Never disable for session cookies or cookies containing sensitive data.
Known False Negatives
The following patterns are not detected due to static analysis limitations:
Cookie Options from Variable
Why: Options stored in variables are not analyzed.
// ❌ NOT DETECTED - Options from variable
const cookieOpts = { httpOnly: false };
res.cookie('session', token, cookieOpts);Mitigation: Use inline cookie options. Create typed secure defaults.
Response Object Aliased
Why: Renamed response object is not tracked.
// ❌ NOT DETECTED - Aliased response
function setCookie(response, name, value) {
response.cookie(name, value); // No flags!
}Mitigation: Add types requiring secure options. Use wrapper with defaults.
Cookie Through Session Middleware
Why: Session middleware cookie configuration is not checked.
// ❌ NOT DETECTED - Session middleware config
app.use(
session({
cookie: { httpOnly: false }, // Insecure!
}),
);Mitigation: Configure session middleware explicitly. Review middleware docs.
Framework Cookie Helpers
Why: Framework-specific cookie methods are not recognized.
// ❌ NOT DETECTED - Next.js cookie API
import { cookies } from 'next/headers';
cookies().set('session', token); // Flags not checkedMitigation: Platform-specific linting. Review framework security docs.