Get Started
- CodeAnt AI
- Control Center
- Pull Request Review
- IDE
- Compliance
- Anti-Patterns
- Code Governance
- Infrastructure Security Database
- Application Security Database
- Apex
- Bash
- C
- Clojure
- Cpp
- Csharp
- Dockerfile
- Elixir
- Fingerprints
- Generic
- Go
- Html
- Java
- Javascript
- Json
- Kotlin
- Ocaml
- Php
- Problem-based-packs
- Python
- Airflow
- Attr
- Aws-lambda
- Bokeh
- Boto3
- Cassandra
- Click
- Correctness
- Couchbase
- Cryptography
- Distributed
- Django
- Docker
- Elasticsearch
- Fastapi
- Flask
- Ai
- Best practice
- Caching
- Code
- Correctness
- Db
- Debug
- Deserialization
- File
- Flask-hardcoded-database-password-uri
- Log
- Maintainability
- Net
- Os
- Regex
- Security
- Security
- Web
- Flask-cookie-app-config-httponly-false
- Flask-cookie-app-config-samesite-none
- Flask-cookie-app-config-secure-false
- Flask-cookie-httponly-false
- Flask-cookie-httponly-missing
- Flask-cookie-samesite-missing
- Flask-cookie-samesite-none
- Flask-cookie-secure-false
- Flask-cookie-secure-missing
- Flask-login-session-protection-app-config-none
- Flask-login-session-protection-none
- Flask-talisman-cookie-secure-false
- Flask-talisman-decorator-cookie-secure-false
- Flask-wtf-csrf-check-default-false
- Xml
- Jinja2
- Jwt
- Lang
- Ldap3
- Mariadb
- Mysql
- Mysqlclient
- Neo4j
- Openai
- Peewee
- Pg8000
- Psycopg2
- Pycryptodome
- Pyjwt
- Pymongo
- Pymssql
- Pymysql
- Pyramid
- Redis
- Requests
- Sh
- Sqlalchemy
- Tormysql
- Urllib3
- Webrepl
- Wtforms
- Ruby
- Rust
- Scala
- Solidity
- Swift
- Terraform
- Typescript
- Yaml
Flask cookie samesite missing
Detected a cookie options with the SameSite
flag set to “None”. This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the “SameSite” attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: “Strict,” “Lax,” or “None”. Make sure the SameSite
attribute of the important cookies (e.g., session cookie) is set to a reasonable value. When SameSite
is set to “Strict”, no 3rd party cookie will be sent with outgoing requests, this is the most secure and private setting but harder to deploy with good usability. Setting it to “Lax” is the minimum requirement.
Likelihood: LOW
Confidence: HIGH
CWE:
- CWE-1275: Sensitive Cookie with Improper SameSite Attribute
OWASP:
- A01:2021 - Broken Access Control