V50.2.1 (v4.0.3-3.4.1) - cookie secure attribute

OWASP / ASVS

Application Security Verification Standard

Creative Commons Attribution Share Alike 4.0 International

2.77k stars 672 forks source link

Current requirement, moved from V3.4.1 to V50.2.1 via #2410:	#	Description	L1	L2	L3	CWE
50.2.1	[MOVED FROM 3.4.1] Verify that cookie-based session tokens have the 'Secure' attribute set.	✓	✓	✓	614

Current requirement, moved from V3.4.1 to V50.2.1 via #2410:

Description

CWE

50.2.1

[MOVED FROM 3.4.1] Verify that cookie-based session tokens have the 'Secure' attribute set.

✓

614

Proposal update based on https://github.com/OWASP/ASVS/issues/2422#issuecomment-2507489508 + https://github.com/OWASP/ASVS/issues/2422#issuecomment-2507546095

Verify that cookie-based session tokens have the 'Secure' attribute set, and if the 'Host-' prefix is not used for the cookie name, the 'Secure-' prefix must be used for the cookie name.

The reasons:

Secure gives that browser is not allowed to send the cookie over http: connection
__Secure- gives that it is not possible to write a cookie with the same name without a Secure flag (including over http: connection)

OWASP / ASVS

V50.2.1 (v4.0.3-3.4.1) - cookie secure attribute #2419