When a cookie is protected with the secure attribute set to true it will not be send by the browser over an unencrypted HTTP
request and thus cannot be observed by an unauthorized person during a man-in-the-middle attack.
When a cookie is created without the secure attribute set to true, browsers will transmit it over unencrypted HTTP
connections as well as HTTPS. An attacker who can observe or intercept network traffic—for example on a public Wi-Fi network—can read the cookie value
in cleartext.
If a session cookie is transmitted over an unencrypted HTTP connection, an attacker who can intercept the traffic can steal it. With a valid session cookie, the attacker can impersonate the victim and gain full access to their account without knowing their password. Even on sites that primarily use HTTPS, a single HTTP request containing the session cookie is enough to expose it.
Pass secure=True to set_cookie to prevent the cookie from being transmitted over unencrypted HTTP connections.
from flask import Response
@app.route('/')
def index():
response = Response()
response.set_cookie('key', 'value') # Noncompliant
return response
from flask import Response
@app.route('/')
def index():
response = Response()
response.set_cookie('key', 'value', secure=True)
return response
Pass secure=True to set_cookie to prevent the cookie from being transmitted over unencrypted HTTP connections.
from fastapi import FastAPI, Response
app = FastAPI()
@app.get('/')
async def index(response: Response):
response.set_cookie('key', 'value') # Noncompliant
return {"message": "Hello world!"}
from fastapi import FastAPI, Response
app = FastAPI()
@app.get('/')
async def index(response: Response):
response.set_cookie('key', 'value', secure=True)
return {"message": "Hello world!"}