Original Post: Bento check: keeping your cookies safe in Flask
The article discusses best practices for handling cookies in Flask applications to enhance security. It suggests using the Semgrep tool to detect instances where Flaskās set_cookie() method is used without specifying the secure, httponly, and samesite attributes, which are important for preventing XSS and CSRF attacks. These security features were introduced in RFC6265 and further updated in a draft RFC. The article includes examples of proper and improper usage of set_cookie(), and describes how the new check works by flagging insufficiently secure cookie settings. The check has been tested on GitHub projects and found to be generally beneficial without being overly restrictive. The piece concludes with references for further reading on cookie security and suggestions for tools like Bento to automate such checks.
Go here to read the Original Post