Skip to content
unfault

python.flask.cookie_settings

Security High

Detects Flask apps with insecure cookie configuration.

Why It Matters

Section titled “Why It Matters”

Insecure cookies:

  • Session hijacking — Cookies sent over HTTP
  • XSS attacks — JavaScript can read cookies
  • CSRF attacks — Missing SameSite protection

Example

Section titled “Example”
# ❌ Before (insecure defaults)
app = Flask(__name__)
app.config['SESSION_COOKIE_SECURE'] = False
app.config['SESSION_COOKIE_HTTPONLY'] = False
# ✅ After (secure settings)
app = Flask(__name__)
app.config['SESSION_COOKIE_SECURE'] = True  # HTTPS only
app.config['SESSION_COOKIE_HTTPONLY'] = True  # No JS access
app.config['SESSION_COOKIE_SAMESITE'] = 'Lax'  # CSRF protection

What Unfault Detects

Section titled “What Unfault Detects”
  • SESSION_COOKIE_SECURE = False
  • SESSION_COOKIE_HTTPONLY = False
  • Missing SESSION_COOKIE_SAMESITE
Section titled “Related Rules”