Python
JavaScript
Java
Go
C#
Ansible
AWS CloudFormation Linter
C & C++
Dart Analyze
Docker
Kotlin
KubeLinter
PHP
Ruby
Rust
Scala
Secrets
Shell
Slither
Solhint
SQL
Swift
Terraform
Test coverageAudit required: Use of insecure `eval()` function foundPHP-A1000Syntax errorPHP-E1111Invalid use of `implements` keywordPHP-W1008Call with inconsistent number of parametersPHP-W1025Undefined function call detectedPHP-E1000Exception being raised is not from a valid exception classPHP-E1001Method is called but not definedPHP-E1002Invalid static method call detectedPHP-E1003Missing return statement in method/functionPHP-E1004Invalid use of class method overridingPHP-E1005Invalid typehint detected in arrow functionPHP-T1000Literal array with empty item(s)PHP-W1001Use of an empty `[]` to read from an arrayPHP-W1002Use of deprecated `(unset)` castPHP-W1003Bad class attribute(s)PHP-W1004Invalid usage of class constant fetch expressionPHP-W1006Duplicate declaration foundPHP-W1007Interface doesn't inherit from another interfacePHP-W1009Invalid use of `extends` keywordPHP-W1010Invalid use of `use`PHP-W1011Invalid property promotionPHP-W1013Invalid attribute classPHP-W1015Trait as attribute is not allowedPHP-W1016Function call parameters are inconsistentPHP-W1020`break` / `continue` used outside of a loopPHP-W1027Abstract method found outside of an abstract classPHP-W1030Undefined static properties must not be accessedPHP-W1034Undefined constants must not be usedPHP-W1038Detected use of `@` to suppress errorsPHP-W1078Attribute class cannot target class constantsPHP-W1005Access to an undefined static propertyPHP-E1007Audit required: Presence of debug function foundPHP-A1012Audit required: Use of an insecure cipherPHP-A1007Audit required: Include statements might be vulnerable to injection attacksPHP-A1001Audit required: SQL query might be vulnerable to injection attacksPHP-A1002Audit required: Sensitive cookie without `HttpOnly` attributePHP-A1003Audit required: Use of an insecure hashing functionPHP-A1004Audit required: Sensitive cookie without `secure` attributePHP-A1005Directory created with insecure permissionsPHP-A1006Manual generation of session ID detectedPHP-A1008Audit required: Function may be vulnerable to arbitrary commands executionPHP-A1009Audit required: Entity substitution can be vulnerable to XXE attacksPHP-A1010Found class constants inside a traitPHP-E1113`switch` statement contains multiple `default` casesPHP-E1114Invalid `options` array while creating a cookiePHP-E1116Abstract method has definitionPHP-E1118Use of compute intensive function in loop conditionPHP-P1000Use of duplicate type in Union types detectedPHP-T1005Use of nullable `mixed` is forbiddenPHP-T1006Nested function declaration is discouragedPHP-W1023Invalid typehint detected in functionPHP-W1029`echo` called with an invalid valuePHP-W1041Type casting is not validPHP-W1042`print` called with a value which isn't a `string`PHP-W1044Audit required: Insecure use of loggerPHP-A1011Class constants don't comply with PSR standardsPHP-C1000Invalid use of increment/decrement operatorsPHP-E1006Array contains duplicate keysPHP-W1000Undefined properties must not be accessedPHP-W1033`use` statement has no effectPHP-W1069Dead code found after `return`PHP-W1074Variable assigned to itselfPHP-W1077Parameter with a default value is not lastPHP-W1079Variable is used but not definedPHP-W1066Class method doesn't comply with PSR standardsPHP-C1001Invalid type used inside string literalPHP-W1043Use of deprecated `libxml_disable_entity_loader()`PHP-W1086Visibility should be explicitly declaredPHP-W1088Function comparison is always positivePHP-W1089Useless post increment/decrementPHP-W1090Missing native return type declaration for closure/anonymous functionPHP-T1003Unused private class property foundPHP-W1075Unused private class method foundPHP-W1076Invalid class instantiationPHP-W1012Invalid assignmentPHP-W1032`throw` expression used in PHP < 8.0PHP-W1017Invalid return typehint for functionPHP-T1002Unsafe usage of `new static()`PHP-W1014Invalid arrow functionPHP-W1018Invalid return typehint for closurePHP-T1001Abstract method defined in a non-abstract classPHP-E1115Unused variable in the closure `use`PHP-W1039Unused constructor parameterPHP-W1037Bad argument passed to `isset`PHP-W1040Typed property accessed before initializationPHP-E1008Class used with `instanceof` is not of valid typePHP-E1009`nullsafe` returned by referencePHP-W1019Invalid closure attributePHP-W1021Attribute class can not be used with functionPHP-W1022Attribute class can not be used with parameter/propertyPHP-W1024`nullsafe` expression returned by referencePHP-W1026Attribute class can not be used with methodPHP-W1031Attribute class can not be used with propertyPHP-W1035Useless `unset` callPHP-W1036Inaccessible propertyPHP-W1067Empty function/method foundPHP-W1080Empty block of code foundPHP-W1085Defining case-insensitive constants is deprecatedPHP-W1083Use of nested `switch` statements foundPHP-W1091`match` expression is returning `void`PHP-W1045Unknown magic method detectedPHP-W1081`final` keyword is redundantPHP-W1082Use of deprecated filter constantPHP-W1084`string` casting in concatenation is redundantPHP-W1087Missing class doc commentPHP-D1001Missing function/class method doc commentPHP-D1002Use of `FIXME`/`XXX`/`TODO` encounteredPHP-W1073Class property provided with an invalid typePHP-T1004Unresolvable use statementPHP-W1068`compact()` called with undefined variablesPHP-W1070Invalid regex pattern foundPHP-W1071Invalid symbol in group `use` statementPHP-W1072Consider using `func_num_args`PHP-P1001Function with cyclomatic complexity higher than threshold foundPHP-R1006
Audit required: Sensitive cookie without `secure` attributePHP-A1005
Critical
Security a02, cwe-614, cwe-311, cwe-315, sans-top-25, owasp-top-10
Cookies set without the secure flag can cause the user agent to send those cookies in plaintext over an HTTP session with the same server. This can be observed by an unauthorized person, leading to a man-in-the-middle attack.
In past it has led to the following vulnerabilities:
Generally, the production sites redirect any requests that are sent over HTTP to the same URL but on HTTPS. In this case, make sure that these HTTP requests that are immediately redirected to HTTPS do not carry any cookie that contains sensitive information. The secure flag limits cookies to HTTPS traffic only so, the browser will never send secure cookies with requests that are not encrypted.
Bad practice
// sensitive: cookie is set with 'secure' flag(6th parameter) to `false`, which can lead to security vulnerabilities in future
setcookie('user_data', 'sensitive value', time() + 3600, '', '', false);
Recommended
setcookie('user_data', 'sensitive value', time() + 3600, '', '', true);
References
setcookie()Function- OWASP Top 10:2021 > A02 - Cryptographic Failures
- OWASP Top 10:2017 > A03 - Sensitive Data Exposure
- CWE-311: Missing Encryption of Sensitive Data
- CWE-315: Cleartext Storage of Sensitive Information in a Cookie
- CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Exceptions
While this issue mostly makes sense if you're setting a sensitive cookie, DeepSource will flag all the cookies encountered without the secure flag. This is to ensure that you are aware about all the cookies set, and avoid false negatives.