CWE-1004

Overview
  • CWE ID
  • 1004
  • CWE Name
  • Sensitive Cookie Without 'HttpOnly' Flag
  • CWE Abstraction
  • Variant
  • CWE structure
  • Simple
  • CWE Status
  • Incomplete
Description
The software uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.
Extended Description
The HttpOnly flag directs compatible browsers to prevent client-side script from accessing cookies. Including the HttpOnly flag in the Set-Cookie HTTP response header helps mitigate the risk associated with Cross-Site Scripting (XSS) where an attacker's s
Related CWEs
CWE ID View ID Nature Ordinal
732 1000 ChildOf Primary