• CodeQL query help documentation »
• CodeQL query help for Ruby »

Weak cookie configuration

ID: rb/weak-cookie-configuration
Kind: problem
Security severity: 7.8
Severity: warning
Precision: high
Tags:
   - external/cwe/cwe-732
   - external/cwe/cwe-1275
   - security
Query suites:
   - ruby-code-scanning.qls
   - ruby-security-extended.qls
   - ruby-security-and-quality.qls

Click to see the query in the CodeQL repository

Cookies can be used for security measures, such as authenticating a user based on cookies sent with a request. Misconfiguration of cookie settings in a web application can expose users to attacks that compromise these security measures.

Recommendation

Modern web frameworks typically have good default configuration for cookie settings. If an application overrides these settings, then take care to ensure that these changes are necessary and that they don’t weaken the cookie configuration.

Example

In the first example, the value of config.action_dispatch.cookies_same_site_protection is set to :none. This has the effect of setting the default SameSite attribute sent by the server when setting a cookie to None rather than the default of Lax. This may make the application more vulnerable to cross-site request forgery attacks.

In the second example, this option is instead set to :strict. This is a stronger restriction than the default of :lax, and doesn’t compromise on cookie security.

module App
  class Application < Rails::Application
    # Sets default `Set-Cookie` `SameSite` attribute to `None`
    config.action_dispatch.cookies_same_site_protection = :none

    # Sets default `Set-Cookie` `SameSite` attribute to `Strict`
    config.action_dispatch.cookies_same_site_protection = :strict
  end
end

References

• OWASP: SameSite.

• Rails: Configuring Action Dispatch.

• Common Weakness Enumeration: CWE-732.

• Common Weakness Enumeration: CWE-1275.

• © GitHub, Inc.
• Terms
• Privacy