Overview
This rule identifies instances where cookies are not explicitly set as HTTP only, which can leave them vulnerable to unauthorized access via JavaScript. Cookies can contain sensitive information, such as session tokens, and their exposure to arbitrary or cross site scripting can lead to significant security risks.
Code Reviews classifies this issue as a Warning because these issues can place the application at risk and contribute to technical debt. They should be prioritized for fixing as soon as possible and also act as blockers for pull requests.
Why This Matters
Specifying cookies as HTTP only significantly reduces the risk of malicious cookie access. When the HttpOnly flag is omitted, cookies become accessible through client side scripts, increasing the risk of:
Sensitive Data Exposure: Cookies may contain sensitive information like session tokens, which could be compromised if accessed by malicious JavaScript.
Cross Site Scripting (XSS) Attacks: In an XSS attack, malicious scripts injected into a web page can access and steal cookies if they are not marked as
HttpOnly.Session Hijacking: If an attacker gains access to a session cookie, they can impersonate the legitimate user, leading to unauthorized access to the application.
What Triggers This Rule
This rule identifies instances in Apex code where a System.Cookie object is instantiated using a constructor that does not implicitly or explicitly set the HttpOnly flag. The absence of the HttpOnly flag makes cookies vulnerable to client side script access, which can lead to security vulnerabilities like Cross Site Scripting (XSS) and session hijacking.
β
The rule specifically targets ApexClass and ApexTrigger files and analyzes Cookie object creation.
Recommended Approach
Aura Components / Lightning Web Components (LWC): Direct client side JavaScript manipulation of cookies without the HttpOnly flag. While LWC and Aura run within Lightning Locker Service, which adds security, developers can still make insecure choices if not careful, especially when interacting with external resources or manipulating the DOM (though direct DOM manipulation is heavily restricted in LWC).
Violation Example (Conceptual, as direct unsafe access is restricted by Locker Service but illustrates the intent):JavaScript
// Insecure cookie setting in client side JavaScript (if allowed by context) // Note: Lightning Locker Service would typically prevent direct access to document.cookie for sensitive operations, // but understanding the anti pattern is important. window.document.cookie = "app_setting=enabled; path=/";Recommended Approach:JavaScript
// For client side interactions where data needs to persist, consider alternatives like: // 1. Salesforce Platform Cache for temporary data. // 2. Custom Metadata Types or Custom Settings for configuration data. // 3. Secure Apex methods for server-side data storage and retrieval. // 4. Using Lightning Data Service for component data access where security is enforced by Salesforce. // If external system cookies are involved, ensure they are securely configured on the server side with HttpOnly and Secure flags.
Summary
Security misconfigurations, such as not properly securing cookies, are a common vulnerability in web applications. According to the OWASP Top 10, "Security Misconfiguration" is a broad risk that includes improperly configured permissions and settings. Ensuring that sensitive cookies are marked as
HttpOnly is a fundamental security best practice for session management and overall application security. You can find more information about this on the OWASP website.