Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-614: Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute |
| OWASP | A05:2021 - Security Misconfiguration |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
Cookies are being set in Django without specifying secure attributes like ‘secure’, ‘httponly’, or ‘samesite’. This means cookies may be sent over insecure connections or accessed by client-side scripts, making them vulnerable to theft or misuse.
Impact#
If exploited, attackers could intercept cookies over unsecured connections or access them via malicious scripts, potentially leading to session hijacking, user impersonation, or unauthorized access to sensitive data. This weakens the application’s overall security and puts user accounts at risk.