Property
Languagepython
Severitylow
CWECWE-1004: Sensitive Cookie Without ‘HttpOnly’ Flag
OWASPA05:2021 - Security Misconfiguration
Confidence LevelMedium
Impact LevelLow
Likelihood LevelLow

Description#

A response in your Pyramid application is setting a cookie without enabling the ‘httponly’ flag. This means client-side scripts can access the cookie, leaving it exposed to potential theft via cross-site scripting (XSS) attacks.

Impact#

If exploited, an attacker could steal sensitive cookies such as session tokens from a user’s browser, potentially hijacking user accounts or gaining unauthorized access to protected areas of your application. This puts user data and application security at risk.