Critiq Docs
Get started
security.authentication

Set `HttpOnly` on Express session cookies

Express session and cookie-session configs should not disable the `HttpOnly` flag.

#Metadata

Rule ID
ts.security.express-cookie-missing-http-only
Severity
medium
Confidence
0.9
Languages
javascript, typescript
Presets
recommended, security, strict
Stability
stable
Applies to
block
Tags
authentication, cookies, rules-catalog, security

#Why it matters

Script-readable session cookies are easier to steal after an XSS bug.

#Remediation

Set `httpOnly: true` so browser scripts cannot read the session cookie.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/typescript/ts.security.express-cookie-missing-http-only.rule.yaml.

Back to registryOpen rule in repository