(CodeQL) Fixed finding: "Add secure flag to HTTP cookies"

[pixeebot-test]

Remediation

This change fixes "Add secure flag to HTTP cookies" (id = insecure-cookie) identified by CodeQL.

Details

This change marks new cookies sent in the HTTP with the "secure" flag. This flag, despite its ambitious name, only provides one type of protection: confidentiality. Cookies with this flag are guaranteed by the browser never to be sent over a cleartext channel ("http://") and only sent over secure channels ("https://").

Our change introduces this flag with a simple 1-line statement:

  Cookie cookie = new Cookie("my_cookie", userCookieValue);
+ cookie.setSecure(true);
  response.addCookie(cookie);

Note: this code change may cause issues with the application if any of the places this code runs (in CI, pre-production or in production) are running in non-HTTPS protocol.

More reading

• https://codeql.github.com/codeql-query-help/java/java-insecure-cookie/
• https://owasp.org/www-community/controls/SecureCookieAttribute
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
• https://cwe.mitre.org/data/definitions/614.html

I have additional improvements ready for this repo! If you want to see them, leave the comment:

@pixeebot next

... and I will open a new PR right away!

🧚🤖 Powered by Pixeebot

Feedback | Community | Docs | Codemod ID: codeql:java/insecure-cookie

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud