CWE-1004
Overview
- CWE ID
- 1004
- CWE Name
- Sensitive Cookie Without 'HttpOnly' Flag
- CWE Abstraction
- Variant
- CWE structure
- Simple
- CWE Status
- Incomplete
Description
The software uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.
Extended Description
The HttpOnly flag directs compatible browsers to prevent client-side script from accessing cookies. Including the HttpOnly flag in the Set-Cookie HTTP response header helps mitigate the risk associated with Cross-Site Scripting (XSS) where an attacker's s
Related CWEs
CWE ID | View ID | Nature | Ordinal |
---|---|---|---|
732 | 1000 | ChildOf | Primary |