npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

@hint/hint-validate-set-cookie-header

v3.0.22

Published

hint for best practices related to the usage of the Set-Cookie response header.

Downloads

71,112

Readme

Valid Set-Cookie header (validate-set-cookie-header)

This hint validates the set-cookie header and confirms that the Secure and HttpOnly directives are defined when sent from a secure origin (HTTPS).

Why is this important?

A cookie is a small piece of information sent from a server to a user agent. The user agent might save it and send it along with future requests to identify the user session, track and analyze user behavior or inform the server of the user preferences. As a result, it contains sensitive data in a lot of the cases. To create a cookie, the Set-Cookie header is sent from a server in response to requests.

In the Set-Cookie header, a cookie is defined by a name associated with a value. A web server can configure the domain and path directives to restrain the scope of cookies. While session cookies are deleted when a browser shuts down, the permanent cookies expire at the time defined by Expires or Max-Age.

Among the directives, the Secure and HttpOnly attributes are particularly relevant to the security of cookies:

  • Setting Secure directive forbids a cookie to be transmitted via simple HTTP.
  • Setting the HttpOnly directive prevents access to cookie value through javascript.

Applying both directives makes it difficult to exploit cross-site scripting (XSS) vulnerabilities and hijack the authenticated user sessions. The wiki page of HTTP cookies offers detailed examples of cookie theft and proxy request when cookies are not well protected. According to the RFC HTTP State Management Mechanism, "When using cookies over a secure channel, servers SHOULD set the Secure attribute for every cookie". As a result, this hint checks if Secure and HttpOnly directives are properly used and offers to validate the Set-Cookie header syntax.

Note: More information about Set-cookie header is available in the MDN web docs.

What does the hint check?

  • Secure and HttpOnly cookies:

    • Secure and HttpOnly directives should be present if sites are secure.
    • Secure directive should not be present if sites are insecure.
  • Cookie prefixes:

    • __Secure- and __Host- prefixes can be used only if sites are secure.

    • Cookies with the __Host- prefix should have a path of "/" (the entire host) and should not have a domain attribute.

      Read more: cookie prefixes.

  • Syntax validation:

    • Validate cookie name and value string.
    • Validate Expires value date format.
  • Browser compatibility of Max-Age directive:

    • Some browsers (ie6, ie7, and ie8) don’t support Max-Age.

Examples that trigger the hint

Set-Cookie header that doesn’t have a name-value string:

HTTP/... 200 OK

...
Set-Cookie: Max-Age=0; Secure; HttpOnly

Set-Cookie header that doesn’t have the Secure directive:

HTTP/... 200 OK

...
Set-Cookie: cookieName=cookieValue; HttpOnly

Set-Cookie header that doesn’t have the HttpOnly directive:

HTTP/... 200 OK

...
Set-Cookie: cookieName=cookieValue; Secure

Set-Cookie header that has invalid name or value string:

HTTP/... 200 OK

...
Set-Cookie: "cookieName"=cookieValue; Secure; HttpOnly
HTTP/... 200 OK

...
Set-Cookie: cookieName=cookie value; Secure; HttpOnly

Set-Cookie header that has prefixes in the cookie name but is sent from pages using http protocol:

From an insecure origin (HTTP):

HTTP/... 200 OK

...
Set-Cookie: __Secure-ID=123; Secure; Domain=example.com

Set-Cookie header that has __Host- prefix in the cookie name but has Path absent or Domain defined:

HTTP/... 200 OK

...
Set-Cookie: __Host-id=1; Secure
HTTP/... 200 OK

...
Set-Cookie: __Host-id=1; Secure; Path=/; domain=example.com

Examples that pass the hint

HTTP/... 200 OK

...
Set-Cookie: cookieName=cookieValue; Secure; HttpOnly
HTTP/... 200 OK

...
Set-Cookie: cookieName="cookieValue"; Secure; HttpOnly
HTTP/... 200 OK

...
Set-Cookie: __Host-ID=123; Secure; Path=/; HttpOnly
HTTP/... 200 OK

...
Set-Cookie: __Secure-ID=123; Secure; Domain=example.com; HttpOnly

How to use this hint?

This package is installed automatically by webhint:

npm install hint --save-dev

To use it, activate it via the .hintrc configuration file:

{
    "connector": {...},
    "formatters": [...],
    "hints": {
        "validate-set-cookie-header": "error",
        ...
    },
    "parsers": [...],
    ...
}

Note: The recommended way of running webhint is as a devDependency of your project.