Viewing file:  HttpOnlyCookieAnalyzer.php (2.03 KB) -rw-r--r--
Select action/file-type:
 (+) |  (+) |  (+) | Code (+) | Session (+) |  (+) | SDB (+) |  (+) |  (+) |  (+) |  (+) |  (+) |
<?php
namespace Enlightn\Enlightn\Analyzers\Security;
use Enlightn\Enlightn\Analyzers\Concerns\AnalyzesMiddleware;
use Enlightn\Enlightn\Analyzers\Concerns\ParsesConfigurationFiles;
use Illuminate\Contracts\Config\Repository as ConfigRepository;
use Illuminate\Contracts\Http\Kernel;
use Illuminate\Routing\Router;
class HttpOnlyCookieAnalyzer extends SecurityAnalyzer
{
use ParsesConfigurationFiles;
use AnalyzesMiddleware;
/**
* The title describing the analyzer.
*
* @var string|null
*/
public $title = 'Cookies are secured as HttpOnly.';
/**
* The severity of the analyzer.
*
* @var string|null
*/
public $severity = self::SEVERITY_CRITICAL;
/**
* The time to fix in minutes.
*
* @var int|null
*/
public $timeToFix = 1;
/**
* Create a new analyzer instance.
*
* @param \Illuminate\Routing\Router $router
* @param \Illuminate\Contracts\Http\Kernel $kernel
* @return void
*/
public function __construct(Router $router, Kernel $kernel)
{
$this->router = $router;
$this->kernel = $kernel;
}
/**
* Get the error message describing the analyzer insights.
*
* @return string
*/
public function errorMessage()
{
return "Your app session cookies are insecure as the HttpOnly option is disabled in your "
."session configuration. This exposes your application to possible XSS (cross-site "
."scripting) attacks.";
}
/**
* Execute the analyzer.
*
* @param \Illuminate\Contracts\Config\Repository $config
* @return void
*/
public function handle(ConfigRepository $config)
{
if (! $config->get('session.http_only', false)) {
$this->recordError('session', 'http_only');
}
}
/**
* Determine whether to skip the analyzer.
*
* @return bool
* @throws \ReflectionException
*/
public function skip()
{
return $this->appIsStateless();
}
}
|