Javascript Session Cookie Http Only False
Description
Detects when Express.js session cookies are configured without the HttpOnly flag, which leaves the application vulnerable to XSS attacks accessing session cookies via client-side JavaScript. This vulnerability allows malicious scripts to steal user session tokens and hijack authenticated sessions.
Detection Strategy
• Identifies Express session middleware usage in the application code
• Examines session configuration objects passed to express-session middleware
• Checks if cookie configuration exists with HttpOnly explicitly set to false
• Reports a vulnerability when session cookies are configured without HttpOnly protection
Vulnerable code example
const express = require('express');
const session = require('express-session');
const app = express();
// Vulnerable: httpOnly:false allows client-side JavaScript to access cookies
app.use(session({
resave: false,
saveUninitialized: true,...✅ Secure code example
const express = require('express');
const session = require('express-session');
const app = express();
app.use(session({
resave: false,
saveUninitialized: true,
cookie: {...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.