Harden servlet session and auth cookies
Session-like cookies must not disable HttpOnly or Secure, and explicit insecure builder flags should be removed.
#Metadata
#Why it matters
Missing HttpOnly and Secure flags expose cookies to XSS and network interception; disabling them makes theft materially easier.
#Remediation
Prefer ResponseCookie with Secure and HttpOnly enabled, SameSite appropriate for your topology, and minimize lifetime on authentication cookies.
#Repository path
The generated metadata points to critiq-rules/libs/rules/catalog/rules/java/java.security.servlet-insecure-cookie.rule.yaml.