ast/insecure-cookie-set
Insecure cookie: httpOnly and/or secure not explicitly set to true
What it detects
res.cookie / ctx.cookie was called without options, OR with httpOnly: false or secure: false. Express defaults both to false — that means the cookie is readable by JavaScript on the page (cookie-stealing XSS becomes session takeover) and travels over plain HTTP (cookie sniffable on a coffee-shop Wi-Fi). Pass `{ httpOnly: true, secure: true, sameSite: 'lax' }` (or 'strict' if you can). In dev where HTTPS isn't set up, gate `secure` on process.env.NODE_ENV.
How it runs
Each file scanned is parsed with the TypeScript Compiler API (via ts-morph). This rule walks the AST looking for the call shape and user-input flow it describes. Skipped on files larger than 200 KB or that fail to parse.
Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.