Implement cookie HTTP header flag with HTTPOnly & Safe to guard an internet site from XSS assaults
Have you learnt which you can mitigate the commonest ones XSS assaults utilizing HttpOnly
And Safe
mark along with your cookie?
XSS is harmful. With an rising variety of XSS assaults each day, it’s best to think about securing your internet functions.
With out the HttpOnly and Safe flag within the HTTP response header, it’s attainable to steal or manipulate internet software classes and cookies.
It’s higher to rearrange this inside the software code. Nevertheless, as a result of ignorance of the builders, it falls on the directors of the online server.
I will not speak about setting these up on the code degree. You’ll be able to refer right here.
Implementation process in Apache
- Ensure you have
mod_headers.so
enabled in Apache HTTP server - Add the next entry to httpd.conf
Header all the time edit Set-Cookie ^(.*)$ $1;HttpOnly;Safe
- Restart the Apache HTTP server for testing
Comment: Header enhancing just isn’t appropriate with a model decrease than Apache 2.2.4.
You should utilize the next to set the HttpOnly and Safe flag to a model decrease than model 2.2.4. Due to Ytse for sharing this info.
Header set Set-Cookie HttpOnly;Safe
Verification
You should utilize the browser’s built-in developer instruments to test the response header, or you should utilize an internet instrument.
Did it assist?
This is without doubt one of the many hardening issues you are able to do in Apache.