Critiq Docs
Get started
security.authentication

Harden auth-bearing cookies

Auth and session cookies should set HttpOnly, Secure, and SameSite.

#Metadata

Rule ID
ts.security.insecure-auth-cookie-flags
Severity
high
Confidence
0.9
Languages
javascript, typescript
Presets
recommended, security, strict
Stability
stable
Applies to
block
Tags
authentication, cookies, rules-catalog, security

#Why it matters

Cookie flags prevent browser scripts, mixed transport, and cross-site requests from exposing session-bearing values.

#Remediation

Add `HttpOnly`, `Secure`, and an explicit `SameSite` policy before the cookie is used for session or auth state.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/typescript/ts.security.insecure-auth-cookie-flags.rule.yaml.

Back to registryOpen rule in repository