@sun-asterisk/sunlint 1.3.39 → 1.3.41

package/skill-assets/sunlint-code-quality/rules/kotlin/S020-eval-code-execution.md

@@ -0,0 +1,57 @@
+---
+title: Avoid Eval Or Dynamic Code Execution
+impact: CRITICAL
+impactDescription: prevents Remote Code Execution (RCE) vulnerabilities
+tags: eval, code-execution, rce, injection, security, kotlin
+---
+
+## Avoid Eval Or Dynamic Code Execution
+
+Executing code dynamically based on user input (e.g., using Script Engines or Reflection) is extremely dangerous. It allows attackers to execute arbitrary commands on the host system, leading to full server compromise.
+
+**Incorrect (dynamic code execution):**
+
+```kotlin
+// Using JavaScript engine with user input
+val engine = ScriptEngineManager().getEngineByName("javascript")
+val userInput = request.getParameter("formula")
+val result = engine.eval(userInput) // RCE vulnerability!
+
+// Reflection with user-provided class names
+val className = request.getParameter("type")
+val instance = Class.forName(className).getDeclaredConstructor().newInstance()
+// Attacker can pass "java.lang.ProcessBuilder"
+```
+
+**Correct (safe alternatives):**
+
+```kotlin
+// Use a specialized safe expression parser (e.g., exp4j)
+val expression = ExpressionBuilder(userInput)
+    .variables("x")
+    .build()
+val result = expression.setVariable("x", 10.0).evaluate()
+
+// Use a predefined map for dynamic behavior
+val operations = mapOf<String, (Int, Int) -> Int>(
+    "add" to { a, b -> a + b },
+    "subtract" to { a, b -> a - b }
+)
+val operation = operations[userInput] ?: throw IllegalArgumentException("Invalid operation")
+val result = operation(10, 5)
+
+// For mapping types, use a factory with an allowlist
+fun createService(type: String): Service = when(type) {
+    "email" -> EmailService()
+    "sms" -> SmsService()
+    else -> throw IllegalArgumentException("Unsupported type")
+}
+```
+
+**Never use with user input:**
+- `ScriptEngine.eval()`
+- `Runtime.getRuntime().exec()` without extreme sanitization (prefer `ProcessBuilder`)
+- `Class.forName(userInput)`
+- SpEL (Spring Expression Language) with untrusted input
+
+**Tools:** SonarQube (S1523), Semgrep, detekt, Manual Security Audit

package/skill-assets/sunlint-code-quality/rules/kotlin/S022-context-escaping.md

@@ -0,0 +1,58 @@
+---
+title: Escape Data By Output Context
+impact: MEDIUM
+impactDescription: ensures data is safely encoded for its specific target environment (HTML, JavaScript, URL, etc.)
+tags: xss, escaping, context, encoding, security, kotlin
+---
+
+## Escape Data By Output Context
+
+Using the wrong escaping strategy is as dangerous as not escaping at all. For example, HTML entity encoding (like `<`) in a JavaScript string context will not prevent an attacker from breaking out of the string.
+
+**Incorrect (wrong encoding for context):**
+
+```kotlin
+// WRONG: Using HTML escaping for a JavaScript variable
+val escaped = HtmlUtils.htmlEscape(userInput)
+val responseHtml = "<script>var name = '$escaped';</script>" 
+// Still vulnerable to breaking out of the quote if userInput contains ' or \
+
+// WRONG: No header sanitization
+response.setHeader("X-User-Note", userInput) 
+// Potential HTTP Header Injection (CRLF injection)
+```
+
+**Correct (context-appropriate encoding):**
+
+```kotlin
+import org.owasp.encoder.Encode
+import java.net.URLEncoder
+
+// 1. HTML Content Context (Normal text inside tags)
+val safeHtml = Encode.forHtml(userInput)
+val pTag = "<p>$safeHtml</p>"
+
+// 2. JavaScript Context (User data inside a script tag)
+val safeJsValue = Encode.forJavaScript(userInput)
+val script = "<script>var username = '$safeJsValue';</script>"
+
+// 3. URL Parameter Context (Used in a query string)
+val safeUrlParam = URLEncoder.encode(userInput, "UTF-8")
+val redirectUrl = "/search?q=$safeUrlParam"
+
+// 4. HTTP Header Context (Preventing CRLF injection)
+val safeHeader = userInput.replace("[\r\n]".toRegex(), "")
+response.setHeader("X-Custom-Data", safeHeader)
+
+// 5. Email Header Context
+val safeSubject = emailSubject.replace("[\r\n]".toRegex(), "")
+```
+
+**Context Rules:**
+- **Inside HTML body:** Use HTML Entity encoding.
+- **Inside HTML attribute:** Use HTML Attribute encoding.
+- **Inside `<script>` tags:** Use JavaScript literal encoding or JSON stringification.
+- **Inside CSS:** Use CSS hex escaping.
+- **Inside URL:** Use URL encoding (percent-encoding).
+
+**Tools:** OWASP Java Encoder (Recommended), Spring `HtmlUtils`, Ktor `encodeURLQueryComponent`, SonarQube (S2245)

package/skill-assets/sunlint-code-quality/rules/kotlin/S023-dynamic-js-encoding.md

@@ -0,0 +1,57 @@
+---
+title: Output Encoding For Dynamic JS/JSON
+impact: HIGH
+impactDescription: prevents code injection when transferring data from backend to frontend scripts
+tags: xss, javascript, json, encoding, security, kotlin
+---
+
+## Output Encoding For Dynamic JS/JSON
+
+When Kotlin backends generate HTML that includes inline JavaScript or JSON data blocks, user-controlled data must be properly encoded to prevent attackers from injecting malicious scripts.
+
+**Incorrect (unescaped data in inline JS):**
+
+```kotlin
+// VULNERABLE: Direct string interpolation in JS
+val username = request.getParameter("name") // Input: admin"; alert('xss'); "
+val html = """
+    <script>
+        var currentUser = "$username"; 
+    </script>
+"""
+call.respondText(html, ContentType.Text.Html)
+```
+
+**Correct (proper JSON or JS encoding):**
+
+```kotlin
+import com.fasterxml.jackson.databind.ObjectMapper
+import org.owasp.encoder.Encode
+
+// 1. Using Jackson for safe JSON serialization (Best for objects)
+val mapper = ObjectMapper()
+val userData = mapOf("name" to username, "id" to userId)
+val safeJson = mapper.writeValueAsString(userData)
+
+val html = """
+    <script>
+        var userData = $safeJson; // safeJson is wrapped in quotes if it's a string, or is an object
+    </script>
+"""
+
+// 2. Using OWASP Encoder for specific JS literal strings
+val safeJsString = Encode.forJavaScript(username)
+val htmlLiteral = "<script>var name = '$safeJsString';</script>"
+
+// 3. Recommended: Use HTML Data Attributes instead of inline JS
+val htmlDataAttr = """
+    <div id="user-context" data-user-info='${Encode.forHtmlAttribute(safeJson)}'></div>
+"""
+```
+
+**Key Strategies:**
+- **Prefer Data Attributes:** Instead of inline `<script>`, put your data in `data-*` attributes of HTML elements and read them from your external JS file.
+- **Use JSON Parsers:** Use `Jackson` or `Kotlinx.Serialization` to convert objects to JSON. They handle most escaping issues, but you still need to be careful about the `</script>` tag inside strings.
+- **Escape `</script>`:** Even inside a quoted JS string, the browser might interpret `</script>` as the end of the script block. Secure encoders will escape the `/` or use unicode sequences.
+
+**Tools:** Jackson, Kotlinx.Serialization, OWASP Java Encoder, Manual Review

package/skill-assets/sunlint-code-quality/rules/kotlin/S025-server-validation.md

@@ -0,0 +1,59 @@
+---
+title: Always Validate Client Data Server-side
+impact: CRITICAL
+impactDescription: ensures input validation cannot be bypassed by attackers
+tags: validation, server-side, input, sanitization, security, kotlin
+---
+
+## Always Validate Client Data Server-side
+
+Client-side validation (browser or mobile apps) is for User Experience (UX) only. It can be easily bypassed using tools like Proxy, cURL, or Postman. All data entering the server must be strictly validated server-side.
+
+**Incorrect (trusting client validation):**
+
+```kotlin
+// No server validation - trusting the mobile app
+@PostMapping("/api/transfer")
+fun transfer(@RequestBody data: TransferRequest): ResponseEntity<Any> {
+    // amount could be negative or extremely large!
+    transferService.execute(data.fromAccount, data.toAccount, data.amount)
+    return ResponseEntity.ok(SuccessResponse())
+}
+```
+
+**Correct (comprehensive server validation):**
+
+```kotlin
+import jakarta.validation.constraints.*
+
+data class TransferRequest(
+    @get:NotBlank val toAccount: String,
+    @get:Positive @get:Max(1000000) val amount: Double
+)
+
+@PostMapping("/api/transfer")
+fun transfer(@Valid @RequestBody data: TransferRequest): ResponseEntity<Any> {
+    // 1. Data Format/Constraint validation (handled by @Valid)
+    
+    // 2. Business logic validation
+    if (!accountService.exists(data.toAccount)) {
+        throw AccountNotFoundException(data.toAccount)
+    }
+    
+    // 3. Authorization validation
+    if (!authService.canTransferFrom(currentUserId, data.fromAccount)) {
+        throw AccessDeniedException("Unauthorized account access")
+    }
+
+    transferService.execute(data.fromAccount, data.toAccount, data.amount)
+    return ResponseEntity.ok(SuccessResponse())
+}
+```
+
+**Validation Strategies:**
+- **JSR-303 / Bean Validation:** Use annotations like `@NotNull`, `@Size`, `@Pattern`, `@Min`, `@Max`.
+- **Schema Validation:** Use libraries like `Konform` or `Kvalidation` if not using Spring.
+- **Fail Fast:** Reject invalid data as early as possible in the request lifecycle.
+- **Sanitization:** Strip dangerous characters (e.g., HTML tags if not expected) to prevent XSS.
+
+**Tools:** Hibernate Validator, Konform (for Kotlin focus), SonarQube, Manual Security Audit

package/skill-assets/sunlint-code-quality/rules/kotlin/S026-tls-encryption.md

@@ -0,0 +1,50 @@
+---
+title: TLS Encryption For All Connections
+impact: CRITICAL
+impactDescription: protects data in transit from interception and tampering
+tags: tls, encryption, https, transport, security, kotlin
+---
+
+## TLS Encryption For All Connections
+
+All network communications, whether between the client and server or between internal services, must be encrypted using TLS. Unencrypted connections (HTTP, raw JDBC) allow attackers to perform Man-in-the-Middle (MitM) attacks to steal sensitive data.
+
+**Incorrect (unencrypted connections):**
+
+```kotlin
+// VULNERABLE: Using HTTP instead of HTTPS
+val client = HttpClient(CIO)
+client.get("http://api.production.sun-asterisk.vn/data")
+
+// VULNERABLE: Unencrypted database connection
+val url = "jdbc:postgresql://db.sun-asterisk.vn:5432/mydb"
+```
+
+**Correct (TLS everywhere):**
+
+```kotlin
+// 1. HTTPS for all external API calls
+client.get("https://api.production.sun-asterisk.vn/data")
+
+// 2. TLS for Database connections
+val url = "jdbc:postgresql://db.sun-asterisk.vn:5432/mydb?ssl=true"
+
+// 3. Enabling HSTS to force browsers to use HTTPS
+// In Ktor:
+install(HSTS) {
+    maxAgeInSeconds = 31536000 // 1 year
+    includeSubDomains = true
+}
+
+// 4. Redirecting HTTP to HTTPS
+// In Spring Security:
+// http.requiresChannel().anyRequest().requiresSecure()
+```
+
+**Requirements:**
+- All endpoints must strictly use HTTPS.
+- Plain HTTP requests must be redirected to HTTPS.
+- Use HSTS (`Strict-Transport-Security`) headers to prevent protocol downgrade attacks.
+- Ensure internal service-to-service communication is also encrypted (e.g., using a Service Mesh or internal CAs).
+
+**Tools:** OWASP ZAP, SSLyze, Qualys SSL Labs, Manual Review

package/skill-assets/sunlint-code-quality/rules/kotlin/S027-mtls-validation.md

@@ -0,0 +1,60 @@
+---
+title: Validate mTLS Certificates Before Auth
+impact: CRITICAL
+impactDescription: ensures mutual authentication between services, preventing unauthorized service impersonation
+tags: mtls, certificates, authentication, service-mesh, security, kotlin
+---
+
+## Validate mTLS Certificates Before Auth
+
+In a microservices architecture, Mutual TLS (mTLS) ensures that both the client and the server verify each other's certificates. This prevents unauthorized services from connecting to internal APIs even if they are within the same network.
+
+**Incorrect (not enforcing client certificates):**
+
+```kotlin
+// Server accepts any connection without requiring a valid client certificate
+// or doesn't validate the client's identity.
+val server = Netty.createServer(8443) {
+    ssl {
+        // Only server-side SSL configured
+        keyStore = myKeyStore
+    }
+}
+```
+
+**Correct (proper mTLS configuration and validation):**
+
+```kotlin
+// 1. Ktor/Netty configuration for mTLS
+install(HttpsRedirect)
+val server = embeddedServer(Netty, port = 8443) {
+    install(Authentication) {
+        // Some frameworks support X509 authentication directly
+    }
+}
+
+// 2. Manual certificate validation in an Interceptor/Filter
+fun validateClientCert(request: HttpServletRequest) {
+    val certs = request.getAttribute("javax.servlet.request.X509Certificate") as? Array<X509Certificate>
+    
+    if (certs == null || certs.isEmpty()) {
+        throw BadCredentialsException("Client certificate required")
+    }
+
+    val clientCert = certs[0]
+    val subjectDN = clientCert.subjectX500Principal.name
+    
+    // Validate the Subject Common Name (CN) against an authorized list
+    val authorizedServices = listOf("CN=payment-service", "CN=order-service")
+    if (!authorizedServices.any { subjectDN.contains(it) }) {
+        throw AccessDeniedException("Service $subjectDN is not authorized")
+    }
+}
+```
+
+**Implementation Steps:**
+- **Trust Store:** Configure your server with a trust store containing the CA certificates that are allowed to sign client certificates.
+- **Client Auth Mode:** Set SSL engine to `REQUIRE` client authentication (not just `WANT`).
+- **Authorization:** Certificate validation (the "m" in mTLS) only handles *authentication*. You still need to *authorize* based on the certificate's subject (e.g., matching the CN to a known service name).
+
+**Tools:** Istio/Linkerd (Service Mesh), OpenSSL, Spring Security X.509, Cloudflare mTLS

package/skill-assets/sunlint-code-quality/rules/kotlin/S028-upload-limits.md

@@ -0,0 +1,67 @@
+---
+title: Limit Upload File Size And Count
+impact: MEDIUM
+impactDescription: prevents Denial of Service (DoS) attacks via disk or memory exhaustion
+tags: upload, file-size, dos, limits, security, kotlin
+---
+
+## Limit Upload File Size And Count
+
+Allowing unlimited file uploads can quickly lead to server instability or crashes by exhausting disk space, memory, or CPU (during processing). All file upload endpoints must have strict limits on file size, number of files, and file types.
+
+**Incorrect (no limits):**
+
+```kotlin
+// Ktor: No multi-part configuration
+@PostMapping("/upload")
+fun upload(@RequestParam("file") file: MultipartFile) {
+    // No check on file.size or file.contentType
+    save(file)
+}
+```
+
+**Correct (explicit limits):**
+
+```kotlin
+// Ktor Configuration
+install(ContentNegotiation) {
+    // Limits can be enforced at the server level
+}
+
+// Spring Boot application.properties
+// spring.servlet.multipart.max-file-size=5MB
+// spring.servlet.multipart.max-request-size=10MB
+
+// Manual validation in Controller
+@PostMapping("/upload")
+fun handleUpload(@RequestParam("files") files: Array<MultipartFile>): ResponseEntity<Any> {
+    // 1. Limit File Count
+    if (files.size > 5) {
+        return ResponseEntity.badRequest().body("Max 5 files allowed")
+    }
+
+    files.forEach { file ->
+        // 2. Limit File Size
+        if (file.size > 5 * 1024 * 1024) { // 5MB
+            return ResponseEntity.status(413).body("File ${file.originalFilename} is too large")
+        }
+
+        // 3. Limit Content Type
+        val allowedTypes = listOf("image/jpeg", "image/png", "application/pdf")
+        if (!allowedTypes.contains(file.contentType)) {
+            return ResponseEntity.badRequest().body("Unsupported file type: ${file.contentType}")
+        }
+    }
+    
+    // Process files...
+    return ResponseEntity.ok("Success")
+}
+```
+
+**Attack Vectors Prevented:**
+- **Disk Exhaustion:** Filling up server storage with massive files.
+- **Memory Exhaustion:** Trying to buffer large files in RAM.
+- **Zip Bomb:** Uploading small compressed files that expand to petabytes (if unzipping on server).
+- **Remote Code Execution:** Restricted via file-type whitelisting (preventing `.php`, `.jsp`, `.sh` uploads).
+
+**Tools:** Spring Multipart Config, Ktor MultiPartData, NGINX `client_max_body_size`, Manual Audit

package/skill-assets/sunlint-code-quality/rules/kotlin/S029-csrf-protection.md

@@ -0,0 +1,57 @@
+---
+title: Apply CSRF Protection
+impact: HIGH
+impactDescription: prevents Cross-Site Request Forgery (CSRF) attacks by ensuring requests originate from the intended application
+tags: csrf, tokens, forms, security, kotlin
+---
+
+## Apply CSRF Protection
+
+CSRF attacks force an authenticated user to execute unwanted actions on a web application in which they're currently authenticated (like changing passwords or transferring funds). Modern web frameworks provide built-in protection that must be enabled and properly configured.
+
+**Incorrect (no CSRF protection):**
+
+```kotlin
+// Spring Security - disabling CSRF without a valid reason
+override fun configure(http: HttpSecurity) {
+    http.csrf().disable() // VULNERABLE if using Cookie-based auth
+}
+
+// Raw HTML form without token
+// <form action="/api/transfer" method="POST"> ... </form>
+```
+
+**Correct (CSRF protection enabled):**
+
+```kotlin
+// Spring Security (enabled by default)
+@Configuration
+@EnableWebSecurity
+class SecurityConfig : WebSecurityConfigurerAdapter() {
+    override fun configure(http: HttpSecurity) {
+        http
+            .csrf()
+            .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
+    }
+}
+
+// In Template (Thymeleaf example)
+// <input type="hidden" th:name="${_csrf.parameterName}" th:value="${_csrf.token}" />
+
+// Ktor CSRF Protection
+install(Sessions) {
+    cookie<UserSession>("user_session")
+}
+install(CSRF) {
+    // Validate that a specific header is present
+    checkHeader("X-CSRF-TOKEN")
+}
+```
+
+**CSRF Defense Strategies:**
+1.  **Anti-CSRF Tokens:** Include a unique, secret, and unpredictable token in all state-changing requests (POST, PUT, DELETE).
+2.  **SameSite Cookies:** Set `SameSite=Strict` or `Lax` on all session cookies.
+3.  **Custom Request Headers:** For APIs, requiring a custom header (like `X-Requested-With`) can block requests from standard `<form>` submissions.
+4.  **Verification of Origin:** Validate `Origin` and `Referer` headers on the server.
+
+**Tools:** Spring Security CSRF, OWASP ZAP, Burp Suite, Browser DevTools

package/skill-assets/sunlint-code-quality/rules/kotlin/S030-directory-browsing.md

@@ -0,0 +1,50 @@
+---
+title: Disable Directory Browsing
+impact: MEDIUM
+impactDescription: prevents unauthorized file enumeration and system reconnaissance
+tags: directory, listing, file-exposure, security, kotlin
+---
+
+## Disable Directory Browsing
+
+Directory listing (auto-indexing) allows users to see all files in a directory if an index file is missing. This can expose sensitive configuration files, source code backups, or private user data.
+
+**Incorrect (directory listing enabled):**
+
+```kotlin
+// Ktor: Configuring static files without disabling auto-index (if plugin allows it)
+
+// NGINX configuration (if serving static files for your app)
+location /static/ {
+    autoindex on; // INSECURE: Shows list of files
+}
+```
+
+**Correct (directory listing disabled):**
+
+```kotlin
+// Ktor: Static content doesn't list directories by default
+routing {
+    static("/static") {
+        resources("static")
+        // No auto-indexing here
+    }
+}
+
+// Spring Boot (Disabled by default in embedded Tomcat)
+// Ensure no custom configuration enables directory listing.
+
+// NGINX (Secure configuration)
+location /static/ {
+    autoindex off;
+    try_files $uri $uri/ =404;
+}
+
+// Use an index file to prevent listing
+// Create an empty index.html in every static directory.
+```
+
+**Why it matters:**
+Exposing a directory structure tells an attacker which files exist, which libraries you use (if `node_modules` or `jar` files are visible), and might reveal "hidden" files like `.env.bak` or `.git/`.
+
+**Tools:** Web server configuration (NGINX/Apache), OWASP ZAP, Nikto, Manual Review

package/skill-assets/sunlint-code-quality/rules/kotlin/S031-secure-cookie-flag.md

@@ -0,0 +1,51 @@
+---
+title: Set Secure Flag On Session Cookies
+impact: HIGH
+impactDescription: prevents cookie theft over unencrypted connections
+tags: cookies, secure, https, session, security, kotlin
+---
+
+## Set Secure Flag On Session Cookies
+
+Without the `Secure` flag, browser cookies can be transmitted over unencrypted HTTP connections, where they can be easily intercepted by attackers (Man-in-the-Middle).
+
+**Incorrect (no Secure flag):**
+
+```kotlin
+// Raw Ktor response
+call.response.cookies.append("session", token) // No flags set!
+
+// Spring Boot / Servlet
+val cookie = Cookie("session", token)
+response.addCookie(cookie) // Secure flag defaults to false
+```
+
+**Correct (Secure flag set):**
+
+```kotlin
+// Ktor
+call.response.cookies.append(
+    name = "session",
+    value = token,
+    secure = true,       // HTTPS only
+    httpOnly = true,
+    extensions = mapOf("SameSite" to "Strict")
+)
+
+// Spring Boot / Servlet
+val cookie = Cookie("session", token).apply {
+    isSecure = true      // HTTPS only
+    isHttpOnly = true
+    path = "/"
+}
+response.addCookie(cookie)
+
+// Spring Boot Application Configuration (application.properties)
+// server.servlet.session.cookie.secure=true
+```
+
+**Validation:**
+- In production, always ensure `secure = true`.
+- For local development without HTTPS, this may need to be configurable but must be enabled by default for all deployed environments.
+
+**Tools:** OWASP ZAP, SonarQube, Manual Security Audit, Browser DevTools

package/skill-assets/sunlint-code-quality/rules/kotlin/S032-httponly-cookie.md

@@ -0,0 +1,49 @@
+---
+title: Set HttpOnly On Session Cookies
+impact: HIGH
+impactDescription: prevents session cookie theft via Cross-Site Scripting (XSS)
+tags: cookies, httponly, xss, session, security, kotlin
+---
+
+## Set HttpOnly On Session Cookies
+
+Without the `HttpOnly` flag, the `document.cookie` API can be used to access sensitive session cookies from JavaScript. This allows an attacker to steal active sessions using a Cross-Site Scripting (XSS) vulnerability.
+
+**Incorrect (no HttpOnly flag):**
+
+```kotlin
+// Ktor
+call.response.cookies.append("session", token) // No HttpOnly!
+
+// Spring Boot / Servlet
+val cookie = Cookie("session", token)
+response.addCookie(cookie) // HttpOnly defaults to false
+```
+
+**Correct (HttpOnly set):**
+
+```kotlin
+// Ktor
+call.response.cookies.append(
+    name = "session",
+    value = token,
+    httpOnly = true,    // Prevents JS access
+    secure = true,
+    extensions = mapOf("SameSite" to "Strict")
+)
+
+// Spring Boot / Servlet
+val cookie = Cookie("session", token).apply {
+    isHttpOnly = true   // Prevents JS access
+    isSecure = true
+}
+response.addCookie(cookie)
+
+// Spring Boot Application Configuration (application.properties)
+// server.servlet.session.cookie.http-only=true
+```
+
+**Security Impact:**
+Even if your application has an XSS vulnerability, the `HttpOnly` flag prevents the attacker from immediately stealing the session identifier, buying time for detection and defense.
+
+**Tools:** OWASP ZAP, Burp Suite, Browser DevTools (Verify "HttpOnly" column checked)

package/skill-assets/sunlint-code-quality/rules/kotlin/S033-samesite-cookie.md

@@ -0,0 +1,54 @@
+---
+title: Set SameSite On Session Cookies
+impact: MEDIUM
+impactDescription: provides fundamental Cross-Site Request Forgery (CSRF) protection
+tags: cookies, samesite, csrf, session, security, kotlin
+---
+
+## Set SameSite On Session Cookies
+
+The `SameSite` attribute tells the browser whether to send cookies in cross-site requests. Setting this to `Strict` or `Lax` provides a strong baseline defense against CSRF attacks.
+
+**Incorrect (no SameSite attribute):**
+
+```kotlin
+// Ktor
+call.response.cookies.append("session", token) // SameSite not specified
+
+// Servlet / Spring Boot (Old versions or manual Cookie setting)
+val cookie = Cookie("session", token)
+response.addCookie(cookie) // No native SameSite setter in standard Servlet API < 6.0
+```
+
+**Correct (SameSite set):**
+
+```kotlin
+// Ktor
+import io.ktor.http.*
+call.response.cookies.append(
+    name = "session",
+    value = token,
+    httpOnly = true,
+    secure = true,
+    extensions = mapOf("SameSite" to "Strict") // or "Lax"
+)
+
+// Spring Boot / Spring Security (Recommended approach)
+// Configure in application.properties/yml
+// server.servlet.session.cookie.same-site=strict
+
+// Manual Header (if using raw Response and older Servlet API)
+response.setHeader("Set-Cookie", "session=$token; Path=/; HttpOnly; Secure; SameSite=Strict")
+```
+
+**SameSite Options:**
+
+| Value | Behavior |
+|-------|----------|
+| `Strict` | Cookie is only sent if the request originates from the same site. Most secure. |
+| `Lax` | Sent on same-site requests and top-level GET navigations (clicking links). |
+| `None` | Always sent. Requires the `Secure` flag to be set. Use with caution. |
+
+**Recommended:** Use `Strict` for all authentication and session handling cookies. Use `Lax` for user-experience-related cookies where cross-site links might need to maintain state.
+
+**Tools:** Browser DevTools (Application tab -> Cookies), OWASP ZAP, Manual review