Overview
This rule identifies instances where cookies are not explicitly set as HTTP-only, which can leave them vulnerable to unauthorized access via JavaScript. Cookies can contain sensitive information, such as session tokens, and their exposure to arbitrary or cross-site scripting can lead to significant security risks.
Code reviews classifies this issue as a Warning because these issues can place the application at risk and contribute to technical debt. They should be prioritized for fixing as soon as possible and also act as blockers for pull requests.
Why This Matters
Specifying cookies as HTTP-only significantly reduces the risk of malicious cookie access. When the HttpOnly flag is omitted, cookies become accessible through client-side scripts, increasing the risk of:
Sensitive Data Exposure: Cookies may contain sensitive information like session tokens, which could be compromised if accessed by malicious JavaScript.
Cross-Site Scripting (XSS) Attacks: In an XSS attack, malicious scripts injected into a web page can access and steal cookies if they are not marked as
HttpOnly.Session Hijacking: If an attacker gains access to a session cookie, they can impersonate the legitimate user, leading to unauthorized access to the application.
What Triggers This Rule
This rule identifies instances in Apex code where a System.Cookie object is instantiated using a constructor that does not implicitly or explicitly set the HttpOnly flag. The absence of the HttpOnly flag makes cookies vulnerable to client-side script access, which can lead to security vulnerabilities like Cross-Site Scripting (XSS) and session hijacking.
The rule specifically targets ApexClass and ApexTrigger files and analyzes Cookie object creation.
Example of Code That Will Trigger This Rule:
Any Apex code that creates a System.Cookie instance using a constructor with fewer than 7 parameters will trigger this rule.
public void setInsecureCookie() {
// ❌ This triggers the rule: Uses a 5-parameter constructor, HttpOnly is not explicitly set.
Cookie myInsecureCookie = new Cookie('sessionData', 'someValue123', null, '/', 3600);
ApexPages.currentPage().getCookies().add(myInsecureCookie);
// ❌ This also triggers the rule: Uses a 6-parameter constructor, HttpOnly is still not explicitly set.
Cookie anotherInsecureCookie = new Cookie('pref', 'darkmode', '/', null, 3600, true);
ApexPages.currentPage().getCookies().add(anotherInsecureCookie);
}
public void setSecureCookie() {
// ✅ This will NOT trigger the rule: Uses the 7-parameter constructor, allowing HttpOnly to be specified.
Cookie mySecureCookie = new Cookie('sessionID', 'secureValueXYZ', '/', 'example.com', 3600, true, true);
ApexPages.currentPage().getCookies().add(mySecureCookie);
}
Recommended Approach:
Aura Components / Lightning Web Components (LWC): Direct client-side JavaScript manipulation of cookies without the HttpOnly flag. While LWC and Aura run within Lightning Locker Service, which adds security, developers can still make insecure choices if not careful, especially when interacting with external resources or manipulating the DOM (though direct DOM manipulation is heavily restricted in LWC).
Summary
Security misconfigurations, such as not properly securing cookies, are a common vulnerability in web applications. According to the OWASP Top 10, "Security Misconfiguration" is a broad risk that includes improperly configured permissions and settings. Ensuring that sensitive cookies are marked as HttpOnly is a fundamental security best practice for session management and overall application security. You can find more information about this on the OWASP website.