## Critical Security Flaw: Session Cookie Exposed to JavaScript in App Configuration
A critical security misconfiguration has been identified in the application's core setup, directly exposing user session cookies to client-side JavaScript. The `SESSION_COOKIE_HTTPONLY` flag is explicitly disabled in the `app/init_config.py` file, stripping a fundamental layer of protection against cross-site scripting (XSS) attacks. This setting deviation creates a significant and immediate vulnerability, transforming any potential XSS flaw into a direct pathway for session hijacking.

The flaw is hardcoded at line 27 of the `app/init_config.py` configuration file. By setting `SESSION_COOKIE_HTTPONLY` to `False`, the application deliberately allows JavaScript to read the session cookie value. This contravenes standard security best practices where the `HttpOnly` attribute is used to prevent client-side scripts from accessing sensitive session identifiers, thereby containing the damage of an XSS exploit.

This configuration error dramatically amplifies the risk profile of the entire application. If an XSS vulnerability exists elsewhere in the codebase—a common occurrence—an attacker's injected script can trivially exfiltrate the session cookie. Successful theft grants the attacker full access to the user's authenticated session, enabling account takeover without needing credentials. The issue represents a foundational security failure that demands urgent remediation to prevent potential credential and data breaches.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: security, vulnerability, session_management, XSS, configuration
- **Credibility**: unverified
- **Published**: 2026-04-05 10:26:51
- **ID**: 50484
- **URL**: https://whisperx.ai/en/intel/50484