Ccodemod

codemod/hono-secure-cookie-httponly-samesite

Automatically adds security-critical httpOnly and sameSite attributes to cookie configurations in Hono applications to prevent XSS and CSRF attacks

transformationmigrationsecurityhonocookies
Public
0 executions
Apply to Repository

Run locally

npx codemod @codemod/hono-secure-cookie-httponly-samesite

Hono Secure Cookie - HttpOnly & SameSite

Automatically adds security-critical httpOnly and sameSite attributes to cookie configurations in Hono applications to prevent XSS and CSRF attacks.

🔒 Security Problem

Hono applications often set cookies without proper security attributes, leaving them vulnerable to:

  • XSS Attacks (CWE-1004): Cookies accessible via JavaScript can be stolen by malicious scripts
  • CSRF Attacks (CWE-352): Cookies sent with cross-site requests enable cross-site request forgery

🚀 What This Codemod Does

This codemod automatically adds missing security attributes to cookie calls in Hono applications:

  • httpOnly: true: Prevents cookies from being accessed by JavaScript, mitigating XSS attacks
  • sameSite: 'strict': Prevents cookies from being sent with cross-site requests, mitigating CSRF attacks

📋 Before & After Examples

Basic Cookie Call

javascript

Cookie with Partial Options

javascript

setCookie Function

javascript

Missing Only One Attribute

javascript

🎯 Scope & Behavior

✅ What Gets Transformed

  • Files importing from 'hono' or 'hono/cookie'
  • c.cookie() method calls (2 or 3 arguments)
  • setCookie() function calls from 'hono/cookie'
  • Missing or incomplete security attributes

❌ What Stays Unchanged

  • Cookies already configured with both httpOnly and sameSite
  • Files without Hono imports (prevents false positives)
  • Options with spread operators (e.g., {...config})
  • Existing sameSite values are preserved (only adds if missing)
  • Explicit httpOnly: false is overridden to true for security

🛠️ Installation & Usage

bash

📁 Supported File Types

  • .js - JavaScript files
  • .ts - TypeScript files
  • .jsx - JavaScript with JSX
  • .tsx - TypeScript with JSX

🔍 Security References

This codemod addresses the following security vulnerabilities:

📚 Learn More

🛠️ Development

bash

📄 License

MIT

Ready to contribute?

Build your own codemod and share it with the community.

Publish a codemodJoin the community