Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-614: Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute |
| OWASP | A05:2021 - Security Misconfiguration |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
The code sets cookies in a Flask response without explicitly setting the ‘secure’, ‘httponly’, and ‘samesite’ options. This leaves cookies vulnerable to theft or misuse because they can be accessed by client-side scripts or sent over insecure connections.
Impact#
Attackers could intercept or steal these cookies via cross-site scripting (XSS) or network attacks, potentially hijacking user sessions or accessing sensitive information. This could lead to unauthorized access to user accounts and compromise the security of your application and its users.