Skip to content

release 0.6.2 — report-the-passes for cookies (HttpOnly/Secure/SameSite)#6

Merged
raccioly merged 1 commit into
mainfrom
release/0.6.2
Jun 19, 2026
Merged

release 0.6.2 — report-the-passes for cookies (HttpOnly/Secure/SameSite)#6
raccioly merged 1 commit into
mainfrom
release/0.6.2

Conversation

@raccioly

Copy link
Copy Markdown
Owner

0.6.2 — report-the-passes for cookies

The pen-test feedback's "report the passes" item: surface controls that HELD, not just failures.

  • `transport_security` now reports a cookie-hardening PASS when `HttpOnly + Secure + SameSite` are all present (✓ in the briefing's §3c "report-the-pass / gap" line).
  • A missing flag becomes a new `insecure-cookie` finding (CWE-1004 / CWE-614).

Saying "checked ✓" builds trust and turns the control into a regression assertion. Verified on a real Cloudflare Worker app (cookies correctly hardened → reports the pass).

139 tests; docguard 87/87.

🤖 Generated with Claude Code

transport_security now reports a cookie-hardening PASS (all three flags present
→ ✓, surfaced in the briefing's §3c report-the-pass/gap line) and flags the gap
as a new insecure-cookie finding (CWE-1004/614) when a flag is missing. Saying
"checked ✓" builds trust and turns the control into a regression assertion.

139 tests; docguard 87/87.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@raccioly raccioly merged commit 69a1cea into main Jun 19, 2026
3 checks passed
@raccioly raccioly deleted the release/0.6.2 branch June 23, 2026 14:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant