CA5396: Set HttpOnly to true for HttpCookie
Property | Value |
---|---|
Rule ID | CA5396 |
Title | Set HttpOnly to true for HttpCookie |
Category | Security |
Fix is breaking or non-breaking | Non-breaking |
Enabled by default in .NET 9 | No |
Cause
System.Web.HttpCookie.HttpOnly is set to false
. The default value of this property is false
.
Rule description
As a defense in depth measure, ensure security sensitive HTTP cookies are marked as HttpOnly. This indicates web browsers should disallow scripts from accessing the cookies. Injected malicious scripts are a common way of stealing cookies.
How to fix violations
Set System.Web.HttpCookie.HttpOnly to true
.
When to suppress warnings
If the global value of HttpOnly is set, such as in the following example:
<system.web> ... <httpCookies httpOnlyCookies="true" requireSSL="true" /> </system.web>
If you're sure there's no sensitive data in the cookies.
Suppress a warning
If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.
#pragma warning disable CA5396
// The code that's violating the rule is on this line.
#pragma warning restore CA5396
To disable the rule for a file, folder, or project, set its severity to none
in the configuration file.
[*.{cs,vb}]
dotnet_diagnostic.CA5396.severity = none
For more information, see How to suppress code analysis warnings.
Example
Violation:
using System.Web;
class ExampleClass
{
public void ExampleMethod()
{
HttpCookie httpCookie = new HttpCookie("cookieName");
httpCookie.HttpOnly = false;
}
}
Solution:
using System.Web;
class ExampleClass
{
public void ExampleMethod()
{
HttpCookie httpCookie = new HttpCookie("cookieName");
httpCookie.HttpOnly = true;
}
}