@sun-asterisk/sunlint
Version:
☀️ SunLint - Multi-language static analysis tool for code quality and security | Sun* Engineering Standards
63 lines (62 loc) • 2.06 kB
JSON
{
"id": "S034",
"name": "Use __Host- prefix for Session Cookies",
"description": "Use __Host- prefix for Session Cookies to prevent subdomain sharing. The __Host- prefix ensures cookies are only sent to the exact domain that set them, preventing subdomain cookie sharing attacks.",
"category": "security",
"severity": "warning",
"confidence": "high",
"tags": ["cookie", "security", "session", "subdomain", "host-prefix"],
"languages": ["javascript", "typescript"],
"patterns": {
"cookieNamePatterns": [
"session",
"sessionid",
"session_id",
"sid",
"connect.sid",
"auth",
"auth_token",
"authentication",
"jwt",
"token",
"csrf",
"csrf_token",
"xsrf",
"login",
"user",
"userid",
"user_id"
],
"hostPrefixPattern": "^__Host-",
"violationPatterns": [
"res\\.cookie\\s*\\(\\s*['\"`](?!__Host-)",
"Set-Cookie:\\s*(?!__Host-)",
"cookie:\\s*{[^}]*name\\s*:\\s*['\"`](?!__Host-)"
]
},
"validation": {
"hostPrefixRequirements": {
"secure": true,
"path": "/",
"domain": null,
"description": "__Host- prefix requires Secure=true, Path=/, and no Domain attribute"
}
},
"examples": {
"violation": [
"res.cookie('sessionid', token, { secure: true, httpOnly: true })",
"res.cookie('auth_token', value, { secure: true, path: '/' })",
"res.setHeader('Set-Cookie', 'session=value; Secure; HttpOnly')"
],
"clean": [
"res.cookie('__Host-sessionid', token, { secure: true, httpOnly: true, path: '/' })",
"res.cookie('__Host-auth_token', value, { secure: true, path: '/', domain: undefined })",
"res.setHeader('Set-Cookie', '__Host-session=value; Secure; HttpOnly; Path=/')"
]
},
"references": [
"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#__Host-",
"https://tools.ietf.org/html/draft-ietf-httpbis-cookie-prefixes-00",
"https://owasp.org/www-community/controls/SecureCookieAttribute"
]
}