CSS-001 critical Cookies

Cookies use HttpOnly for sensitive data

Auth/session cookies configured with HttpOnly flag to prevent XSS attacks from stealing tokens

Question to ask

"Could XSS steal your session tokens right now?"

Verification guide

Severity: Critical

Session tokens, auth data, and any sensitive info must use HttpOnly so JavaScript cannot access them. This prevents XSS attacks from stealing sessions. Non-sensitive cookies (UI preferences, feature flags) can be JS-accessible.

Check automatically:

  1. Find cookie-setting code in the codebase:
# Node/Express patterns
grep -rE "res\.cookie\(|\.setCookie\(|cookie\s*:" --include="*.ts" --include="*.js" src/ server/ api/ 2>/dev/null

# Next.js patterns
grep -rE "cookies\(\)\.set|serialize\(" --include="*.ts" --include="*.js" src/ app/ pages/ 2>/dev/null

# Generic Set-Cookie header
grep -rE "Set-Cookie|setHeader.*cookie" --include="*.ts" --include="*.js" src/ 2>/dev/null
  1. Check cookie configuration for HttpOnly:
# Look for httpOnly: true (good) or httpOnly: false (bad)
grep -rE "httpOnly\s*:" --include="*.ts" --include="*.js" -A2 -B2 src/ 2>/dev/null

# Look for cookie options objects
grep -rE "cookie.*\{|cookieOptions|sessionOptions" --include="*.ts" --include="*.js" src/ 2>/dev/null
  1. Check auth/session libraries (often configure cookies):
# Common libraries
grep -E "iron-session|next-auth|express-session|cookie-session|passport" package.json

# Find their config
grep -rE "ironOptions|authOptions|sessionConfig|cookieConfig" --include="*.ts" --include="*.js" src/ 2>/dev/null
  1. Check for document.cookie usage (client-side cookie access):
# Should only be for non-sensitive data (preferences, analytics)
grep -rE "document\.cookie" --include="*.ts" --include="*.js" --include="*.tsx" --include="*.jsx" src/ 2>/dev/null
  1. Verify with live headers (if production URL available):
curl -sI https://example.com | grep -i "set-cookie"
# Check: HttpOnly present? Secure present? SameSite set?

Cross-reference with:

  • CSS-002 (tokens shouldn't be in browser storage either)
  • CSS-003 (JWT storage practices)
  • SEC-005 (Secure flag and SameSite attribute)

Pass criteria:

  • Auth/session cookies configured with httpOnly: true
  • document.cookie usage limited to non-sensitive data (preferences, UI state)
  • Cookie library configs (iron-session, next-auth) have HttpOnly enabled

Fail criteria:

  • Session/auth cookies with httpOnly: false or not set
  • JWT tokens stored in JS-accessible cookies
  • document.cookie used for auth tokens

Evidence to capture:

  • Cookie-setting code locations and their httpOnly config
  • Which cookies are set (names, purposes)
  • Any document.cookie usage and what it's for
  • Auth library cookie configuration

Section

23. Client-Side Security & Storage

Infrastructure Features

← Previous

FEP-004

Preload critical CSS

 Next →

CSS-002

Browser storage used appropriately