Sensitive cookie without SameSite restrictions¶
ID: js/samesite-none-cookie
Kind: problem
Security severity: 5.0
Severity: warning
Precision: medium
Tags:
- security
- external/cwe/cwe-1275
Query suites:
- javascript-security-extended.qls
- javascript-security-and-quality.qls
Click to see the query in the CodeQL repository
Authentication cookies where the SameSite attribute is set to “None” can potentially be used to perform Cross-Site Request Forgery (CSRF) attacks if no other CSRF protections are in place.
With SameSite set to “None”, a third party website may create an authorized cross-site request that includes the cookie. Such a cross-site request can allow that website to perform actions on behalf of a user.
Recommendation¶
Set the SameSite attribute to Strict on all sensitive cookies.
Example¶
The following example stores an authentication token in a cookie where the SameSite attribute is set to None.
const http = require('http');
const server = http.createServer((req, res) => {
res.setHeader("Set-Cookie", `authKey=${makeAuthkey()}; secure; httpOnly; SameSite=None`);
res.writeHead(200, { 'Content-Type': 'text/html' });
res.end('<h2>Hello world</h2>');
});
To prevent the cookie from being included in cross-site requests, set the SameSite attribute to Strict.
const http = require('http');
const server = http.createServer((req, res) => {
res.setHeader("Set-Cookie", `authKey=${makeAuthkey()}; secure; httpOnly; SameSite=Strict`);
res.writeHead(200, { 'Content-Type': 'text/html' });
res.end('<h2>Hello world</h2>');
});
References¶
MDN Web Docs: SameSite cookies.
OWASP: SameSite.
Common Weakness Enumeration: CWE-1275.