RSTR-NET-004 — cookie httpOnly: false (network-rule variant)

Summary

A cookie is set with httpOnly: false, exposing it to client-side JavaScript. This is the network-layer variant of RSTR-COOKIE-002; it exists separately because the network analyzer also catches cookie options when set on header objects rather than via Express res.cookie.

Severity

Medium.

Languages

JavaScript, TypeScript.

What rastray flags

const cookieOptions = { httpOnly: false };          // ← flagged
res.cookie('sid', token, cookieOptions);

const opts = { httpOnly: false, maxAge: 3600_000 }; // ← flagged

What rastray deliberately does not flag

• Options with httpOnly: true.
• Options that omit httpOnly entirely (caught by a higher-level review; this rule fires specifically on the explicit false).

How to fix it

Set httpOnly: true (the default for the safest cookie):

res.cookie('sid', token, {
    secure:    true,
    httpOnly:  true,
    sameSite:  'strict',
});

If the cookie genuinely must be JS-readable (CSRF mirror token, feature-flag cookie), suppress with a comment naming the purpose:

// rastray-ignore: RSTR-NET-004 — CSRF mirror cookie must be readable
res.cookie('XSRF-TOKEN', csrf, { httpOnly: false, sameSite: 'strict' });

References

• OWASP HttpOnly cookies
• CWE-1004