CodeAnt AI home pagelight logodark logo
  • Support
  • Dashboard
  • Dashboard
Documentation
API Reference
Start Here
  • What is CodeAnt?
  • Join Community
Setup
  • Github
  • GitHub Enterprise
  • Bitbucket
  • Gitlab
  • Azure Devops
Pull Request Review
  • Features
  • Customize Review
  • Quality Gates
  • Integrations
Scan center
  • Code Security
  • Code Quality
  • Cloud Security
  • Engineering Productivity
Integrations
  • Jira
  • Test Coverage
  • Quality gates
  • Automated scans
IDE
  • Setup
  • Review
  • Enhancements
Rule Reference
  • Compliance
  • Anti-Patterns
  • Code Governance
  • Infrastructure Security Database
  • Application Security Database
    • Apex
    • Bash
    • C
    • Clojure
    • Cpp
    • Csharp
    • Dockerfile
    • Elixir
    • Fingerprints
    • Generic
    • Go
    • Html
    • Java
      • Android
      • Aws-lambda
      • Castor
      • Java-jwt
      • Jax-rs
      • Jboss
      • Jdo
      • Jedis
      • Jjwt
      • Jsch
      • Kryo
      • Lang
      • Micronaut
      • Mongo
      • Mongodb
      • Mysql
      • Okhttp
      • Rmi
      • Servlets
        • Security
        • Security
          • Audit
            • Cookie-httponly-false
              • Cookie httponly false
            • Cookie-missing-httponly
            • Cookie-missing-samesite
            • Cookie-missing-secure-flag
            • Cookie-secure-flag-false
            • Formatted-sql-string
            • Http-response-splitting
            • Unvalidated-redirect
            • Url-rewriting
            • Xssrequestwrapper-is-insecure
          • Castor-deserialization-deepsemgrep
          • Crlf-injection-logs-deepsemgrep
          • Crlf-injection-logs
          • Httpservlet-path-traversal-deepsemgrep
          • Httpservlet-path-traversal
          • Kryo-deserialization-deepsemgrep
          • No-direct-response-writer-deepsemgrep
          • No-direct-response-writer
          • Nosql-injection-servlets
          • Objectinputstream-deserialization-servlets
          • Servletresponse-writer-xss-deepsemgrep
          • Servletresponse-writer-xss
          • Tainted-cmd-from-http-request-deepsemgrep
          • Tainted-cmd-from-http-request
          • Tainted-code-injection-from-http-request-deepsemgrep
          • Tainted-code-injection-from-http-request
          • Tainted-ldapi-from-http-request-deepsemgrep
          • Tainted-ldapi-from-http-request
          • Tainted-session-from-http-request-deepsemgrep
          • Tainted-session-from-http-request
          • Tainted-sql-from-http-request-deepsemgrep
          • Tainted-sql-from-http-request
          • Tainted-ssrf-deepsemgrep-add
          • Tainted-ssrf-deepsemgrep-format
          • Tainted-ssrf-deepsemgrep
          • Tainted-ssrf
          • Tainted-xml-decoder-deepsemgrep
          • Tainted-xml-decoder
          • Tainted-xpath-from-http-request-deepsemgrep
          • Tainted-xpath-from-http-request
          • Xstream-anytype-deserialization-deepsemgrep
          • Xxe
      • Spring
      • Thymeleaf
      • Xstream
    • Javascript
    • Json
    • Kotlin
    • Ocaml
    • Php
    • Problem-based-packs
    • Python
    • Ruby
    • Rust
    • Scala
    • Solidity
    • Swift
    • Terraform
    • Typescript
    • Yaml
Resources
  • Open Source
  • Blogs
Cookie-httponly-false

Cookie httponly false

cookie-httponly-false

A cookie was detected without setting the ‘HttpOnly’ flag. The ‘HttpOnly’ flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the ‘HttpOnly’ flag by calling ‘cookie.setHttpOnly(true);‘
Likelihood: LOW
Confidence: HIGH
CWE:
- CWE-1004: Sensitive Cookie Without ‘HttpOnly’ Flag
OWASP:
- A05:2021 - Security Misconfiguration
SecurityCookie missing httponly
twitterlinkedin
Powered by Mintlify
Assistant
Responses are generated using AI and may contain mistakes.