保護DataHogo
Security Encyclopedia/Privacy Best Practices
lowCWE-16

No Cookie Banner

Setting non-essential cookies without user consent violates GDPR and ePrivacy Directive requirements for EU users.

How It Works

GDPR and the EU ePrivacy Directive require explicit consent before setting non-essential cookies (analytics, advertising, tracking). Strictly necessary cookies (session, auth) don't require consent. Without a cookie banner, running Google Analytics, PostHog, or any third-party tracker on EU users is a legal violation.

Vulnerable Code
// BAD: analytics initialized immediately without consent check
// _app.tsx or layout.tsx
import posthog from 'posthog-js';
posthog.init('YOUR_KEY'); // fires before user can consent
Secure Code
// GOOD: initialize analytics only after user consents
const [hasConsent, setHasConsent] = useState(
  () => localStorage.getItem('cookie-consent') === 'accepted'
);

useEffect(() => {
  if (hasConsent) {
    posthog.init('YOUR_KEY'); // only after consent
  }
}, [hasConsent]);
// Show CookieBanner component if !hasConsent

Real-World Example

The French data protection authority (CNIL) fined Google €150 million and Facebook €60 million in 2022 for making it harder to refuse cookies than to accept them. Cookie consent enforcement is active and penalties are significant.

How to Prevent It

  • Show a cookie consent banner before initializing any analytics or advertising scripts
  • Make declining cookies as easy as accepting them — equal prominence for accept/decline buttons
  • Store consent choice in localStorage and respect it on every page load
  • Use a consent management platform (CMP) like Cookiebot for complex cookie setups

Affected Technologies

javascript

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

No Privacy Policy

low

Operating without a privacy policy violates GDPR, CCPA, and similar regulations — and makes users rightfully distrust your handling of their data.

CWE-16

No Terms of Service

low

Without terms of service, you have no legal basis to restrict abuse, terminate accounts, or limit your liability for user-generated content.

CWE-16

No Account Deletion

medium

Not offering account deletion violates GDPR's right to erasure and CCPA's right to delete — and is a significant privacy red flag for users.

CWE-16

Payment Data Stored Locally

critical

Storing full card numbers, CVVs, or PANs in localStorage, sessionStorage, or your own database violates PCI DSS and creates massive liability.

CWE-312A02:2021