Found a Pyramid cookie using an unsafe value for the samesite option. Pyramid cookies should be handled securely by setting samesite=‘Lax’ in response.set_cookie(…). If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker. Likelihood: LOW Confidence: MEDIUM CWE: - CWE-1275: Sensitive Cookie with Improper SameSite Attribute
OWASP: - A01:2021 - Broken Access Control
pyramid-authtkt-cookie-httponly-unsafe-default
Found a Pyramid Authentication Ticket cookie without the httponly option correctly set. Pyramid cookies should be handled securely by setting httponly=True. If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker. Likelihood: LOW Confidence: MEDIUM CWE: - CWE-1004: Sensitive Cookie Without ‘HttpOnly’ Flag
OWASP: - A05:2021 - Security Misconfiguration
pyramid-csrf-origin-check-disabled-globally
Automatic check of the referrer for cross-site request forgery tokens has been explicitly disabled globally, which might leave views unprotected when an unsafe CSRF storage policy is used. Use ‘pyramid.config.Configurator.set_default_csrf_options(check_origin=True)’ to turn the automatic check for all unsafe methods (per RFC2616). Likelihood: LOW Confidence: MEDIUM CWE: - CWE-352: Cross-Site Request Forgery (CSRF)
OWASP: - A01:2021 - Broken Access Control
pyramid-authtkt-cookie-secure-unsafe-value
Found a Pyramid Authentication Ticket cookie without the secure option correctly set. Pyramid cookies should be handled securely by setting secure=True. If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker. Likelihood: LOW Confidence: MEDIUM CWE: - CWE-614: Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
OWASP: - A05:2021 - Security Misconfiguration
pyramid-set-cookie-httponly-unsafe-default
Found a Pyramid cookie using an unsafe default for the httponly option. Pyramid cookies should be handled securely by setting httponly=True in response.set_cookie(…). If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker. Likelihood: LOW Confidence: MEDIUM CWE: - CWE-1004: Sensitive Cookie Without ‘HttpOnly’ Flag
OWASP: - A05:2021 - Security Misconfiguration
pyramid-csrf-origin-check-disabled
Origin check for the CSRF token is disabled for this view. This might represent a security risk if the CSRF storage policy is not known to be secure. Likelihood: LOW Confidence: MEDIUM CWE: - CWE-352: Cross-Site Request Forgery (CSRF)
OWASP: - A01:2021 - Broken Access Control
pyramid-authtkt-cookie-secure-unsafe-default
Found a Pyramid Authentication Ticket cookie using an unsafe default for the secure option. Pyramid cookies should be handled securely by setting secure=True. If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker. Likelihood: LOW Confidence: MEDIUM CWE: - CWE-614: Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
OWASP: - A05:2021 - Security Misconfiguration
pyramid-set-cookie-secure-unsafe-value
Found a Pyramid cookie without the secure option correctly set. Pyramid cookies should be handled securely by setting secure=True in response.set_cookie(…). If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker. Likelihood: LOW Confidence: MEDIUM CWE: - CWE-614: Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
OWASP: - A05:2021 - Security Misconfiguration
pyramid-set-cookie-secure-unsafe-default
Found a Pyramid cookie using an unsafe default for the secure option. Pyramid cookies should be handled securely by setting secure=True in response.set_cookie(…). If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker. Likelihood: LOW Confidence: MEDIUM CWE: - CWE-614: Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
OWASP: - A05:2021 - Security Misconfiguration
pyramid-authtkt-cookie-samesite
Found a Pyramid Authentication Ticket without the samesite option correctly set. Pyramid cookies should be handled securely by setting samesite=‘Lax’. If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker. Likelihood: LOW Confidence: MEDIUM CWE: - CWE-1275: Sensitive Cookie with Improper SameSite Attribute
OWASP: - A01:2021 - Broken Access Control
pyramid-set-cookie-httponly-unsafe-value
Found a Pyramid cookie without the httponly option correctly set. Pyramid cookies should be handled securely by setting httponly=True in response.set_cookie(…). If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker. Likelihood: LOW Confidence: MEDIUM CWE: - CWE-1004: Sensitive Cookie Without ‘HttpOnly’ Flag
OWASP: - A05:2021 - Security Misconfiguration
pyramid-set-cookie-samesite-unsafe-value
Found a Pyramid cookie without the samesite option correctly set. Pyramid cookies should be handled securely by setting samesite=‘Lax’ in response.set_cookie(…). If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker. Likelihood: LOW Confidence: MEDIUM CWE: - CWE-1275: Sensitive Cookie with Improper SameSite Attribute
OWASP: - A01:2021 - Broken Access Control
pyramid-authtkt-cookie-httponly-unsafe-value
Found a Pyramid Authentication Ticket cookie without the httponly option correctly set. Pyramid cookies should be handled securely by setting httponly=True. If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker. Likelihood: LOW Confidence: MEDIUM CWE: - CWE-1004: Sensitive Cookie Without ‘HttpOnly’ Flag
OWASP: - A05:2021 - Security Misconfiguration
pyramid-csrf-check-disabled
CSRF protection is disabled for this view. This is a security risk. Likelihood: LOW Confidence: LOW CWE: - CWE-352: Cross-Site Request Forgery (CSRF)
OWASP: - A01:2021 - Broken Access Control
