Typescript Session Cookie Http Only False
Description
Detects insecure session cookie configurations in Express.js applications where the HttpOnly flag is disabled or not set. This leaves session cookies accessible to client-side scripts, potentially exposing them to cross-site scripting (XSS) attacks that could steal session data.
Detection Strategy
• Identifies require/import statements of 'express-session' package in the code
• Locates session middleware initialization calls in Express.js applications
• Examines configuration objects passed to express-session for cookie settings
• Reports a vulnerability when cookie configuration has HttpOnly explicitly set to false or missing
• Example of vulnerable code: app.use(session({ cookie: { httpOnly: false } }))
Vulnerable code example
import express from 'express';
import session from 'express-session';
const app = express();
app.use(session({
resave: false,
saveUninitialized: true,...✅ Secure code example
import express from 'express';
import session from 'express-session';
const app = express();
app.use(session({
resave: false,
saveUninitialized: true,...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.