Closed pixeebot[bot] closed 5 months ago
sonarcloud[bot]
commented
5 months ago 
Quality Gate passedIssues
0 New issues
0 Accepted issues
Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code
pixeebot[bot]
commented
5 months ago I'm confident in this change, and the CI checks pass, too!
If you see any reason not to merge this, or you have suggestions for improvements, please let me know!
pixeebot[bot]
commented
5 months ago This change may not be a priority right now, so I'll close it. If there was something I could have done better, please let me know!
You can also customize me to make sure I'm working with you in the way you want.
This change marks new cookies sent in the HTTP with the "secure" flag. This flag, despite its ambitious name, only provides one type of protection: confidentiality. Cookies with this flag are guaranteed by the browser never to be sent over a cleartext channel ("http://") and only sent over secure channels ("https://").
Our change introduces this flag with a simple 1-line statement:
Note: this code change may cause issues with the application if any of the places this code runs (in CI, pre-production or in production) are running in non-HTTPS protocol.
More reading
* [https://codeql.github.com/codeql-query-help/java/java-insecure-cookie/](https://codeql.github.com/codeql-query-help/java/java-insecure-cookie/) * [https://owasp.org/www-community/controls/SecureCookieAttribute](https://owasp.org/www-community/controls/SecureCookieAttribute) * [https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies) * [https://cwe.mitre.org/data/definitions/614.html](https://cwe.mitre.org/data/definitions/614.html)I have additional improvements ready for this repo! If you want to see them, leave the comment:
... and I will open a new PR right away!
Powered by: pixeebot and CodeQL (codemod ID: codeql:java/insecure-cookie)