- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
ID: go-security/cookie-http-only
Language: Go
Severity: Info
Category: Security
CWE: 1004
The HttpOnly
attribute of an http.Cookie
is a security measure that helps protect cookies from certain types of attacks, such as cross-site scripting (XSS) attacks. When the HttpOnly
attribute is set, it instructs the browser that the cookie should not be accessible via client-side scripts, such as JavaScript. This means that even if a malicious script manages to execute on the client-side, it cannot access or manipulate the protected cookie, thus reducing the risk of sensitive information leakage.
Failing to set the HttpOnly
attribute leaves the cookie vulnerable to XSS attacks, where an attacker could potentially steal sensitive information stored in the cookie, such as authentication tokens or session identifiers.
To prevent such security risks, always ensure that the HttpOnly
attribute is set for cookies that contain sensitive information. This simple step can significantly enhance the security of your application. Additionally, following secure coding practices, such as validating and sanitizing user input, can help mitigate other security threats.
import (
"github.com/gorilla/sessions"
)
func main () {
session = http.Cookie {
Path: "/",
MaxAge: 3600,
HttpOnly: false,
}
}
func main () {
session = http.Cookie {
Path: "/",
MaxAge: 3600,
HttpOnly: true,
}
}
|
|
For more information, please read the Code Security documentation
Identify code vulnerabilities directly in yourVS Code editor
Identify code vulnerabilities directly inJetBrains products