Python Cookie Httponly False
Description
Detects when cookies are configured without the HttpOnly flag in Python applications. When cookies lack this security flag, they become accessible to client-side JavaScript code, potentially exposing sensitive data like session tokens to Cross-Site Scripting (XSS) attacks.
Detection Strategy
• Identifies cookie-related function calls including 'set_cookie', 'AuthTktCookieHelper', and 'AuthTktAuthenticationPolicy'
• Examines cookie configuration parameters to check if HttpOnly flag is missing or set to false
• Reports a vulnerability when cookies are configured without proper HttpOnly protection
• Focuses on Python web frameworks and authentication systems that handle cookie operations
Vulnerable code example
from starlette.responses import HTMLResponse
def set_insecure_cookie(response: HTMLResponse, token: str) -> HTMLResponse:
# Vulnerable: httponly=False allows client-side access to cookies via JavaScript
response.set_cookie(
key="auth_token",
value=token,
secure=True,...✅ Secure code example
from starlette.responses import HTMLResponse
def set_secure_cookie(response: HTMLResponse, token: str) -> HTMLResponse:
# Secure: httponly=True prevents JavaScript access, samesite prevents CSRF
response.set_cookie(
key="auth_token",
value=token,
secure=True,...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.