Audit

pyramid-set-cookie-samesite-unsafe-default

Found a Pyramid cookie using an unsafe value for the samesite option. Pyramid cookies should be handled securely by setting samesite=‘Lax’ in response.set_cookie(…). If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-1275: Sensitive Cookie with Improper SameSite Attribute
OWASP:
- A01:2021 - Broken Access Control

pyramid-authtkt-cookie-httponly-unsafe-default

pyramid-csrf-origin-check-disabled-globally

Automatic check of the referrer for cross-site request forgery tokens has been explicitly disabled globally, which might leave views unprotected when an unsafe CSRF storage policy is used. Use ‘pyramid.config.Configurator.set_default_csrf_options(check_origin=True)’ to turn the automatic check for all unsafe methods (per RFC2616).
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-352: Cross-Site Request Forgery (CSRF)
OWASP:
- A01:2021 - Broken Access Control

pyramid-authtkt-cookie-secure-unsafe-value

pyramid-set-cookie-httponly-unsafe-default

pyramid-csrf-origin-check-disabled

Origin check for the CSRF token is disabled for this view. This might represent a security risk if the CSRF storage policy is not known to be secure.
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-352: Cross-Site Request Forgery (CSRF)
OWASP:
- A01:2021 - Broken Access Control

pyramid-authtkt-cookie-secure-unsafe-default

pyramid-set-cookie-secure-unsafe-value

pyramid-set-cookie-secure-unsafe-default

pyramid-authtkt-cookie-samesite

pyramid-set-cookie-httponly-unsafe-value

pyramid-set-cookie-samesite-unsafe-value

pyramid-authtkt-cookie-httponly-unsafe-value

pyramid-csrf-check-disabled

CSRF protection is disabled for this view. This is a security risk.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-352: Cross-Site Request Forgery (CSRF)
OWASP:
- A01:2021 - Broken Access Control

Start Here

Setup

Pull Request Review

Scan center

Integrations

IDE

Rule Reference

Resources