Go Secure Cookie Disabled
Description
Detects when cookies are created without the Secure flag enabled in Go applications. When cookies lack the Secure flag, they can be transmitted over unencrypted HTTP connections, potentially exposing sensitive data to network eavesdroppers. This is particularly critical for cookies containing session tokens or other sensitive information.
Detection Strategy
• Identifies cookie creation using net/http.Cookie or gorilla/sessions.Options in Go code
• Checks if the cookie being created contains sensitive data or authentication tokens
• Verifies if the Secure property is explicitly set to false or omitted in the cookie configuration
• Reports a vulnerability when a sensitive cookie is configured without the Secure flag
Vulnerable code example
package main
import (
"net/http"
"github.com/gorilla/sessions"
)
var store = sessions.NewCookieStore([]byte("key"))...✅ Secure code example
package main
import (
"net/http"
"github.com/gorilla/sessions"
)
// Use a sufficiently random key for cookie store...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.