CWE-1004

Sensitive Cookie Without 'HttpOnly' Flag

The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.

Mitigation

Phase: Implementation

Description:

  • Leverage the HttpOnly flag when setting a sensitive cookie in a response.

No CAPEC attack patterns related to this CWE.

Back to CWE stats page