Implement cookie HTTP header flag with HTTPOnly & Secure to protect website from XSS attacks
Do you know you can mitigate most common XSS attack using HttpOnly and Secure flag with your cookie? XSS is dangerous, very dangerous. By looking at increasing number of XSS attack on a daily basis, you must secure your web applications.
Without having HttpOnly and Secure flag in HTTP response header, it is possible to steal or manipulate web application session and cookies. It’s good practice to set a HttpOnly and Secure flag in application code by developers.
However, due to bad programming or developers’ unawareness, it comes to Web Infrastructures.
I will not talk about how to set these at the code level. You can refer here.
While performing security test on web applications, it’s expected that you will have to fix these to pass the penetration test. This is how you can fix these in Apache Web Server.
Implementation procedure in Apache
1. Ensure you have mod_headers.so enabled in Apache instance
2. Add following entry in httpd.conf
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
3. Restart Apache Web Server
Note: Header edit is not compatible with lower than Apache 2.2.4 version. You can use following to set HttpOnly and Secure flag in lower than 2.2.4 version. Thanks to Ytse for sharing this information.
Header set Set-Cookie HttpOnly;Secure
Open your website with HTTP Watch, Live HTTP Header or HTTP Header Online tool.
Check HTTP response header, you should see as highlighted
It’s essential to secure your web applications with required settings. If you are looking for complete website security solution you may refer to web application firewall as explained here.