Added secure flag to HTTP cookies (CodeQL)
codeql:java/insecure-cookie​
Importance | Review Guidance | Requires Scanning Tool |
---|---|---|
LOW | Merge Without Review | Yes (CodeQL) |
This change marks new cookies sent in the HTTP with the "secure" flag. This flag, despite its ambitious name, only provides one type of protection: confidentiality. Cookies with this flag are guaranteed by the browser never to be sent over a cleartext channel ("http://") and only sent over secure channels ("https://").
Our change introduces this flag with a simple 1-line statement:
Cookie cookie = new Cookie("my_cookie", userCookieValue);
+ cookie.setSecure(true);
response.addCookie(cookie);
Note: this code change may cause issues with the application if any of the places this code runs (in CI, pre-production or in production) are running in non-HTTPS protocol.
F.A.Q.​
Why is this codemod marked as Merge Without Review?​
This code change may cause issues with the application if any of the places this code runs (in CI, pre-production or in production) are running over plaintext HTTP.