← All Checks high ASVS V3.4

Browser & Cookie Security

AI agents configure cookies without Secure, HttpOnly, or SameSite flags — leaving your users’ sessions vulnerable to theft via XSS and CSRF attacks.

What it catches

  • Cookies without Secure flag (sent over HTTP)
  • Cookies without HttpOnly flag (readable by JavaScript/XSS)
  • Missing SameSite attribute (CSRF vulnerability)
  • Session tokens in localStorage (XSS-accessible)
  • JWT tokens stored client-side without proper protections
  • document.cookie access patterns in client code

Why vibe coders should care

If your auth cookie doesn’t have HttpOnly, any XSS on your site can steal user sessions with document.cookie. Without SameSite, a malicious site can make requests as your logged-in user. Without Secure, cookies are sent over plain HTTP and can be intercepted on public WiFi.

Real impact: Missing cookie flags = account takeover. An attacker injects JavaScript through any XSS vulnerability and instantly has every user’s session token.

Example

// ❌ VibSec flags this — insecure cookie configuration
res.cookie('session', token);

// ✅ Set all security attributes
res.cookie('session', token, {
  httpOnly: true,     // Can't be read by JavaScript
  secure: true,       // HTTPS only
  sameSite: 'strict', // No cross-site requests
  maxAge: 3600000,    // 1 hour expiry
});

How to fix

Add httpOnly, secure, and sameSite flags to all cookies that contain session tokens or sensitive data. VibSec identifies the exact cookie-setting code that needs to be updated.

Related checks: Excessive Agency · Exposed Ports · All Checks

Feedback