Sensitive Cookie Without ‘HttpOnly’ Flag
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-1004: Sensitive Cookie Without ‘HttpOnly’ Flag |
| OWASP | A05:2021 - Security Misconfiguration |
| Confidence Level | Medium |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
A response in your Pyramid application sets a cookie without explicitly setting the ‘httponly’ flag to True. This means the cookie can be accessed by client-side scripts in the browser.
Impact#
If exploited, attackers could steal sensitive cookies through cross-site scripting (XSS), potentially gaining unauthorized access to user accounts or sensitive data. This weakens session security and increases the risk of account compromise.