Go Http Only Disabled
Description
Detects when cookies are configured without the HttpOnly flag in Go applications. The HttpOnly flag, when missing, allows client-side access to cookies through JavaScript, potentially exposing sensitive session data to Cross-Site Scripting (XSS) attacks. This is particularly risky for session cookies and authentication tokens.
Detection Strategy
• Check if the application imports Go's net/http or gorilla/sessions packages
• Look for cookie configurations using http.Cookie or sessions.Options objects
• Examine cookie configuration parameters to identify when HttpOnly is explicitly set to false or omitted
• Verify the cookie is used in a security-sensitive context (e.g., session handling, authentication)
• Report a vulnerability if a sensitive cookie is configured without HttpOnly protection
Vulnerable code example
package main
import "net/http"
func main() {
http.HandleFunc("/", handleCookie)
http.ListenAndServe(":8080", nil)
}...✅ Secure code example
package main
import "net/http"
func main() {
http.HandleFunc("/", handleCookie)
http.ListenAndServe(":8080", nil)
}...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.