← all rules
code/js-cookie-insecure-prod
Session cookie with secure: false
What it detects
secure: false sends the cookie over plain HTTP, making it interceptable on any shared network. Production session cookies must be `secure: true` so they ride only over TLS.
How it runs
Applied line-by-line via a tagged regex with language-specific gating. Comments are skipped. Designed for high-confidence patterns where AST parsing would be overkill.
Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.