New

Codemod Registry

Explore community-led codemods to migrate, optimize, and transform your codebase.

+600 codemods published

Ready to contribute?

Build your own codemod and share it with the community.

Publish a codemod

Join the community

codemod/hono-secure-cookie-httponly-samesite - Codemod Registry

Ccodemod

codemod/hono-secure-cookie-httponly-samesite

Automatically adds security-critical httpOnly and sameSite attributes to cookie configurations in Hono applications to prevent XSS and CSRF attacks

Public

transformationmigrationsecurityhonocookies

Public

0 downloads

1 stars

How to Use

Run this codemod on your codebase using one of the following commands

The easiest way to run this codemod without installing anything globally:

Documentation

Hono Secure Cookie - HttpOnly & SameSite

Automatically adds security-critical httpOnly and sameSite attributes to cookie configurations in Hono applications to prevent XSS and CSRF attacks.

🔒 Security Problem

Hono applications often set cookies without proper security attributes, leaving them vulnerable to:

XSS Attacks (CWE-1004): Cookies accessible via JavaScript can be stolen by malicious scripts
CSRF Attacks (CWE-352): Cookies sent with cross-site requests enable cross-site request forgery

🚀 What This Codemod Does

This codemod automatically adds missing security attributes to cookie calls in Hono applications:

httpOnly: true: Prevents cookies from being accessed by JavaScript, mitigating XSS attacks
sameSite: 'strict': Prevents cookies from being sent with cross-site requests, mitigating CSRF attacks

📋 Before & After Examples

Basic Cookie Call

javascript

Cookie with Partial Options

javascript

setCookie Function

javascript

Missing Only One Attribute

javascript

🎯 Scope & Behavior

✅ What Gets Transformed

Files importing from 'hono' or 'hono/cookie'
c.cookie() method calls (2 or 3 arguments)
setCookie() function calls from 'hono/cookie'
Missing or incomplete security attributes

❌ What Stays Unchanged

Cookies already configured with both httpOnly and sameSite
Files without Hono imports (prevents false positives)
Options with spread operators (e.g., {...config})
Existing sameSite values are preserved (only adds if missing)
Explicit httpOnly: false is overridden to true for security

🛠️ Installation & Usage

bash

📁 Supported File Types

.js - JavaScript files
.ts - TypeScript files
.jsx - JavaScript with JSX
.tsx - TypeScript with JSX

🔍 Security References

This codemod addresses the following security vulnerabilities:

CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag - https://cwe.mitre.org/data/definitions/1004.html
CWE-352: Cross-Site Request Forgery (CSRF) - https://cwe.mitre.org/data/definitions/352.html

📚 Learn More

🛠️ Development

bash

📄 License

MIT

Ready to contribute?

Build your own codemod and share it with the community.

Publish a codemod

Join the community