December 2019 Summaries
1 posts from Semgrep
Filter
Month:
Year:
Post Summaries
Back to Blog
In 2011, RFC6265 introduced important security mechanisms for managing cookies, such as the HttpOnly and Secure flags, to enhance web security by mitigating XSS and CSRF attacks. The SameSite attribute was later added to provide further protection against cross-site request forgery. The article discusses a security check implemented to ensure these attributes are set when cookies are created in Flask applications, highlighting that secure cookie settings are often underutilized despite their benefits. The check encourages developers to explicitly define the Secure, HttpOnly, and SameSite attributes when calling the set_cookie() function in Flask, though it allows for explicit disabling when necessary. An analysis of 715 Flask apps on GitHub revealed that most would benefit from these settings, suggesting the check serves as a useful reminder rather than an intrusive requirement. The article encourages developers to assess their codebases with tools like Bento to enhance security.
Dec 19, 2019
484 words in the original blog post.