Prevent XSS injection by setting HttpOnly to true

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Metadata

ID: go-security/cookie-http-only

Language: Go

Severity: Info

Category: Security

CWE: 1004

Description

The HttpOnly attribute of an http.Cookie is a security measure that helps protect cookies from certain types of attacks, such as cross-site scripting (XSS) attacks. When the HttpOnly attribute is set, it instructs the browser that the cookie should not be accessible via client-side scripts, such as JavaScript. This means that even if a malicious script manages to execute on the client-side, it cannot access or manipulate the protected cookie, thus reducing the risk of sensitive information leakage.

Failing to set the HttpOnly attribute leaves the cookie vulnerable to XSS attacks, where an attacker could potentially steal sensitive information stored in the cookie, such as authentication tokens or session identifiers.

To prevent such security risks, always ensure that the HttpOnly attribute is set for cookies that contain sensitive information. This simple step can significantly enhance the security of your application. Additionally, following secure coding practices, such as validating and sanitizing user input, can help mitigate other security threats.

Non-Compliant Code Examples

import (
	"github.com/gorilla/sessions"
)

func main () {
    session = http.Cookie {
        Path:   "/",
        MaxAge: 3600,
        HttpOnly: false,
    }
}

Compliant Code Examples

func main () {
    session = http.Cookie {
        Path:   "/",
        MaxAge: 3600,
        HttpOnly: true,
    }
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis