Valid `Set-Cookie` header
User guide
- Getting Started
Api
Concepts
Configurations
Configuring webhint
Connectors
Development flow integration
Extensions
Formatters
Hints
- Avoid CSS limits
- Avoid HTTP redirects
- axe accessibility check
- Babel configuration hint set
- Compatibility of CSS, HTML and JavaScript features
- Correct `Content-Type` header
- Correct manifest extension
- Correct viewport
- Detect CSS Reflows
- Disallowed HTTP headers
- External links disown opener
- Has web app manifest
- Highest document mode
- HTTP cache
- Leading '.' in `classList.add` or `classList.remove`
- Manifest has name
- Minify JavaScript
- Modern DOCTYPE
- No `createElement` with SVG
- No `P3P` headers
- No broken links
- No byte-order mark
- No Inline CSS Styles
- No protocol-relative URLs
- No small error pages
- No vulnerable libraries
- Nu HTML test
- Optimal compression
- Optimize images
- Performance budget
- Prefixed CSS first
- scoped-svg-styles
- Specify button type
- SSL server test
- TypeScript configuration hints set
- Unneeded HTTP headers
- Use `Strict-Transport-Security` header
- Use `X-Content-Type-Options` header
- Use Apple touch icon
- Use charset `utf-8`
- Use HTTPS
- Use subresource integrity
- Valid `Set-Cookie` header
- Valid `theme-color`
- Valid manifest
- webpack configuration hints set
Parsers
Server configurations
Troubleshoot
- Api
- Concepts
- Configurations
- Configuring webhint
- Connectors
- Development flow integration
- Extensions
- Formatters
- Hints
- Parsers
- Server configurations
- Troubleshoot
Valid Set-Cookie header (validate-set-cookie-header)
This hint validates the set-cookie header and confirms that
the Secure and HttpOnly directives are defined when sent from
a secure origin (HTTPS).
Why is this important?
A cookie is a small piece of information sent from a server to
a user agent. The user agent might save it and send it along with
future requests to identify the user session, track and analyze
user behavior or inform the server of the user preferences. As a
result, it contains sensitive data in a lot of the cases. To create
a cookie, the Set-Cookie header is sent from a server in response
to requests.
In the Set-Cookie header, a cookie is defined by a name associated
with a value. A web server can configure the domain and path
directives to restrain the scope of cookies. While session cookies
are deleted when a browser shuts down, the permanent cookies expire
at the time defined by Expires or Max-Age.
Among the directives, the Secure and HttpOnly attributes are
particularly relevant to the security of cookies:
- Setting
Securedirective forbids a cookie to be transmitted via simple HTTP. - Setting the
HttpOnlydirective prevents access to cookie value through javascript.
Applying both directives makes it difficult to exploit cross-site
scripting (XSS) vulnerabilities and hijack the authenticated
user sessions. The wiki page of HTTP cookies
offers detailed examples of cookie theft and proxy
request when cookies are not well protected. According
to the RFC HTTP State Management Mechanism, “When using cookies over a secure channel, servers SHOULD
set the Secure attribute for every cookie”. As a result, this hint
checks if Secure and HttpOnly directives are properly used and
offers to validate the Set-Cookie header syntax.
Note: More information about Set-cookie header is available in the
MDN web docs.
What does the hint check?
SecureandHttpOnlycookies:SecureandHttpOnlydirectives should be present if sites are secure.Securedirective should not be present if sites are insecure.
Cookie prefixes:
__Secure-and__Host-prefixes can be used only if sites are secure.Cookies with the
__Host-prefix should have apathof “/“ (the entire host) and should not have adomainattribute.Read more: cookie prefixes.
Syntax validation:
- Validate cookie name and value string.
- Validate
Expiresvalue date format.
Browser compatibility of
Max-Agedirective:- Some browsers (ie6, ie7, and ie8) don’t support
Max-Age.
- Some browsers (ie6, ie7, and ie8) don’t support
Examples that trigger the hint
Set-Cookie header that doesn’t have a name-value string:
HTTP/... 200 OK ... Set-Cookie: Max-Age=0; Secure; HttpOnly |
Set-Cookie header that doesn’t have the Secure directive:
HTTP/... 200 OK ... Set-Cookie: cookieName=cookieValue; HttpOnly |
Set-Cookie header that doesn’t have the HttpOnly directive:
HTTP/... 200 OK ... Set-Cookie: cookieName=cookieValue; Secure |
Set-Cookie header that has invalid name or value string:
HTTP/... 200 OK ... Set-Cookie: "cookieName"=cookieValue; Secure; HttpOnly |
HTTP/... 200 OK ... Set-Cookie: cookieName=cookie value; Secure; HttpOnly |
Set-Cookie header that has prefixes in the cookie name but is sent
from pages using http protocol:
From an insecure origin (HTTP):
HTTP/... 200 OK ... Set-Cookie: __Secure-ID=123; Secure; Domain=example.com |
Set-Cookie header that has __Host- prefix in the cookie name but
has Path absent or Domain defined:
HTTP/... 200 OK ... Set-Cookie: __Host-id=1; Secure |
HTTP/... 200 OK ... Set-Cookie: __Host-id=1; Secure; Path=/; domain=example.com |
Examples that pass the hint
HTTP/... 200 OK ... Set-Cookie: cookieName=cookieValue; Secure; HttpOnly |
HTTP/... 200 OK ... Set-Cookie: cookieName="cookieValue"; Secure; HttpOnly |
HTTP/... 200 OK ... Set-Cookie: __Host-ID=123; Secure; Path=/; HttpOnly |
HTTP/... 200 OK ... Set-Cookie: __Secure-ID=123; Secure; Domain=example.com; HttpOnly |
How to use this hint?
This package is installed automatically by webhint:
npm install hint --save-dev |
To use it, activate it via the .hintrc configuration file:
{
"connector": {...},
"formatters": [...],
"hints": {
"validate-set-cookie-header": "error",
...
},
"parsers": [...],
...
} |
Note: The recommended way of running webhint is as a devDependency of
your project.