Implement cookie HTTP header flag with HTTPOnly & Secure to protect website from XSS attacks
Do you know you can mitigate most common XSS attack using HttpOnly and Secure flag with your cookie? XSS is dangerous, very dangerous. By looking at increasing number of XSS attack on a daily basis, you must secure your web applications.
Without having HttpOnly and Secure flag in HTTP response header, it is possible to steal or manipulate web application session and cookies. It’s good practice to set a HttpOnly and Secure flag in application code by developers.
However, due to bad programming or developers’ unawareness, it comes to Web Infrastructures.
I will not talk about how to set these at the code level. You can refer here.
While performing security test on web applications, it’s expected that you will have to fix these to pass the penetration test. This is how you can fix these in Apache Web Server.
Implementation procedure in Apache
1. Ensure you have mod_headers.so enabled in Apache instance
2. Add following entry in httpd.conf
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
3. Restart Apache Web Server
Note: Header edit is not compatible with lower than Apache 2.2.4 version. You can use following to set HttpOnly and Secure flag in lower than 2.2.4 version. Thanks to Ytse for sharing this information.
Header set Set-Cookie HttpOnly;Secure
Verification
Open your website with HTTP Watch, Live HTTP Header or HTTP Header Online tool.
Check HTTP response header, you should see as highlighted
It’s essential to secure your web applications with required settings. If you are looking for complete website security solution you may refer to web application firewall as explained here.
30 Comments
Everything is very open with a precise explanation of the issues.
It was truly informative. Your website is very useful. Thanks for
sharing!
I am glad it was useful to you.
Hello
I have set this but php session is not working, php session is restart when page refresh or reload.
Hello Saeid,
Thanks for visiting. It sounds like conflicts. Can you check the PHP application logs to see if any clue?
Hi,
We are running Apache/2.2.17 (Unix)
Please let me know how to check
mod_headers.so enabled ?
How to enable cookie in version 2.2.17 ?
Thanks
Hello Rajesh,
1. Search for mod_headers.so in httpd.conf file and if it’s not commented then it’s enabled.
2. Use below cde in 2.2 version
Header set Set-Cookie HttpOnly;Secure
Hi, will this still work if the session to the servers is non-SSL. So SSL if offloaded (ssl-termination) on the load-balancers and from there it is non-encrypted to the Apache servers.
For my situation, it doesn’t work for non-SSL (http) connections. It works for SSL connections.
Hello,
I will have to check this out.
Hi Sandev / Chandan ,
I have same kind of environment ssl-termination on the load-balancers and non encrypted path to webserver. Will this work in this situation ? Any updates?
Hello Lin,
I haven’t tested in environment like you so give a try and see if that works.
Hi, If we apply “Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure” in apache level your application JSESSION_ID will be vanished ..
Please suggest any additional configurations required to get JSESSION_ID ?
Hello Suresh,
I will have to do some try on this and let you know.
We have apache version 1.3.9
Does this version will support configuration for secure cookie and httponly flag?
Thanks for the informative writing…. I was completely new to this, can u pls help me how could we define the same for a specific cookie? i.e, authentication/authorization of a apache cookie, not sure if my question was clear. thanks in advance.
Glad it was helpful to you. I will have to try out on defining specific cookie.
Hi Chandan,
I am working on a new application, in development phase we have not configured any DNS URL and directly accessing it via Web server. In short, we are using http not https while accessing application. Now, what I have observed is that if I use setting to use both httpOnly & Secure as “Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure” application throws 500 error and causing login error issue. If Secure is disabled and only “Header edit Set-Cookie ^(.*)$ $1;HttpOnly” its working fine.
Can you suggest or confirm if the issue will not be observed incase we use DNS URL with https protocol ? This will help us for later stages in application launch phases.
Regards,
Deepak.
Hello Deepak,
Secure will work when having https so as you said once you have DNS ready with SSL it shouldn’t break.
I am using apache 2.2.3, how do I search mod_headers.so file as I tried to find it but unable to trace.
1. If I do not get this file then where do I make the suggested changes.
2. Can I implement the suggested changes in a running server? If yes, what precaution should I need to take care?
Hello Kuldeep,
If it’s not available then you need to compile apache with mod_headers. You may refer this – https://www.eukhost.com/forums/f30/how-add-mod_headers-apache-981/
As a best practice – test in non-production and take a complete backup before touching the running environment.
HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: sun, 20 mar 2016 12:24:59 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Link: ; rel=”\\/”
Link: ; rel=shortlink
Pragma: no-cache
Server: Apache
Set-Cookie: PHPSESSID=########################; path=/
Set-Cookie: AWSELB=##################################;PATH=/
X-Frame-Options: SAMEORIGIN
X-Powered-By: PHP/5.6.16
X-XSS-Protection: 1; mode=block
Connection: keep-alive
my website has not enabled httponly but in the header field you can seeX-XSS-Protection: 1; mode=block.
So my question here is
1)X-XSS-Protection: 1; mode=block but http only is not enabled . is it prone to xss
Hello annoni,
It could be something else than related.
Hello
I have set this but php session is not working, php session is restart when page refresh or reload.
And I use the Yii 1.0 ,so do u have some advice about this? thx
hello
I found when I use Yii1.0 framework ,php session will not work ,so could u help me ?
I am sorry, not aware about that framework.
Hello in my environment, I am using Apache 2.4.12.
If I use, Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure, it is not working..
can u please share any info to edit the existing cookie on this apache version.
If I use “Header set Set-Cookie HttpOnly;Secure”. It is adding another cookie with the attributes HttpOnly & secure.
Ex:
Set-Cookie: MY_APPLICATION_NAME=en_US; expires=Fri, 06-May-2016 08:20:46 GMT
Set-Cookie: HttpOnly;Secure
So when I scan my application for security vulnerability, I still see this as vulnerability.
Hi, thanks for this easy to understand guide.
But I think, marking ALL cookies per default as HttpOnly is a bad choice. There are some cases that we want to send both HttpOnly and not HttpOnly cookies. For example in case of sending XSRF Token to the client. To avoid XSRF attacks, client code should explicitly add received XSRF Token into header. If XSRF Token value were in a HttpOnly cookie, client code cannot access this value.
Hello Selim,
Thanks for the feedback. Yes, it should be really based on the application needs.
This has caused our server to issue multiple httponly and secure flags on one cookie.
Set-Cookie: JSESSIONID = A32E0EAFB76ABC5BADD08DF93764B666; path=/clin-rcil;Secure;HttpOnly;HttpOnly;HttpOnly;Secure
Any thoughts? I think we are version 2.2.9, still waiting to confirm.