Implement cookie HTTP header flag with HTTPOnly & Secure to protect website from XSS attacks
Do you know you can mitigate most common XSS attacks using HttpOnly and Secure flag with your cookie?
XSS is dangerous. By looking at increasing number of XSS attack on a daily basis, you must consider securing your web applications.
Without having HttpOnly and Secure flag in HTTP response header, it is possible to steal or manipulate web application session and cookies.
It’s better to manage this within application code. However, due to developers’ unawareness, it comes to Web Server administrators.
I will not talk about how to set these at the code level. You can refer here.
Implementation Procedure in Apache
1. Ensure you have mod_headers.so enabled in Apache HTTP server
2. Add following entry in httpd.conf
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
3. Restart Apache HTTP server to test
Note: Header edit is not compatible with lower than Apache 2.2.4 version.
You can use the following to set HttpOnly and Secure flag in lower than 2.2.4 version. Thanks to Ytse for sharing this information.
Header set Set-Cookie HttpOnly;Secure
Verification
You can either leverage browser’s inbuilt developer tools to check the response header or use online tool.
Did it help?
This is one of the many hardening things to do in Apache. And, the best approach to perform a regular scan against your web applications to find security vulnerabilities.
This has caused our server to issue multiple httponly and secure flags on one cookie.
Set-Cookie: JSESSIONID = A32E0EAFB76ABC5BADD08DF93764B666; path=/clin-rcil;Secure;HttpOnly;HttpOnly;HttpOnly;Secure
Any thoughts? I think we are version 2.2.9, still waiting to confirm.
Hi, thanks for this easy to understand guide.
But I think, marking ALL cookies per default as HttpOnly is a bad choice. There are some cases that we want to send both HttpOnly and not HttpOnly cookies. For example in case of sending XSRF Token to the client. To avoid XSRF attacks, client code should explicitly add received XSRF Token into header. If XSRF Token value were in a HttpOnly cookie, client code cannot access this value.
Hello Selim,
Thanks for the feedback. Yes, it should be really based on the application needs.
Hello in my environment, I am using Apache 2.4.12.
If I use, Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure, it is not working..
can u please share any info to edit the existing cookie on this apache version.
If I use “Header set Set-Cookie HttpOnly;Secure”. It is adding another cookie with the attributes HttpOnly & secure.
Ex:
Set-Cookie: MY_APPLICATION_NAME=en_US; expires=Fri, 06-May-2016 08:20:46 GMT
Set-Cookie: HttpOnly;Secure
So when I scan my application for security vulnerability, I still see this as vulnerability.
Hello
I have set this but php session is not working, php session is restart when page refresh or reload.
And I use the Yii 1.0 ,so do u have some advice about this? thx
hello
I found when I use Yii1.0 framework ,php session will not work ,so could u help me ?
I am sorry, not aware about that framework.
HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: sun, 20 mar 2016 12:24:59 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Link: ; rel=”\\/”
Link: ; rel=shortlink
Pragma: no-cache
Server: Apache
Set-Cookie: PHPSESSID=########################; path=/
Set-Cookie: AWSELB=##################################;PATH=/
X-Frame-Options: SAMEORIGIN
X-Powered-By: PHP/5.6.16
X-XSS-Protection: 1; mode=block
Connection: keep-alive
my website has not enabled httponly but in the header field you can seeX-XSS-Protection: 1; mode=block.
So my question here is
1)X-XSS-Protection: 1; mode=block but http only is not enabled . is it prone to xss
Hello annoni,
It could be something else than related.
I am using apache 2.2.3, how do I search mod_headers.so file as I tried to find it but unable to trace.
1. If I do not get this file then where do I make the suggested changes.
2. Can I implement the suggested changes in a running server? If yes, what precaution should I need to take care?
Hello Kuldeep,
If it’s not available then you need to compile apache with mod_headers. You may refer this – https://www.eukhost.com/forums/f30/how-add-mod_headers-apache-981/
As a best practice – test in non-production and take a complete backup before touching the running environment.
Hi Chandan,
I am working on a new application, in development phase we have not configured any DNS URL and directly accessing it via Web server. In short, we are using http not https while accessing application. Now, what I have observed is that if I use setting to use both httpOnly & Secure as “Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure” application throws 500 error and causing login error issue. If Secure is disabled and only “Header edit Set-Cookie ^(.*)$ $1;HttpOnly” its working fine.
Can you suggest or confirm if the issue will not be observed incase we use DNS URL with https protocol ? This will help us for later stages in application launch phases.
Regards,
Deepak.
Hello Deepak,
Secure will work when having https so as you said once you have DNS ready with SSL it shouldn’t break.
Thanks for the informative writing…. I was completely new to this, can u pls help me how could we define the same for a specific cookie? i.e, authentication/authorization of a apache cookie, not sure if my question was clear. thanks in advance.
Glad it was helpful to you. I will have to try out on defining specific cookie.
We have apache version 1.3.9
Does this version will support configuration for secure cookie and httponly flag?
Hi, If we apply “Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure” in apache level your application JSESSION_ID will be vanished ..
Please suggest any additional configurations required to get JSESSION_ID ?
Hello Suresh,
I will have to do some try on this and let you know.
Hi, will this still work if the session to the servers is non-SSL. So SSL if offloaded (ssl-termination) on the load-balancers and from there it is non-encrypted to the Apache servers.
For my situation, it doesn’t work for non-SSL (http) connections. It works for SSL connections.
Hello,
I will have to check this out.
Hi Sandev / Chandan ,
I have same kind of environment ssl-termination on the load-balancers and non encrypted path to webserver. Will this work in this situation ? Any updates?
Hello Lin,
I haven’t tested in environment like you so give a try and see if that works.
Hi,
We are running Apache/2.2.17 (Unix)
Please let me know how to check
mod_headers.so enabled ?
How to enable cookie in version 2.2.17 ?
Thanks
Hello Rajesh,
1. Search for mod_headers.so in httpd.conf file and if it’s not commented then it’s enabled.
2. Use below cde in 2.2 version
Header set Set-Cookie HttpOnly;Secure
Hello
I have set this but php session is not working, php session is restart when page refresh or reload.
Hello Saeid,
Thanks for visiting. It sounds like conflicts. Can you check the PHP application logs to see if any clue?
Everything is very open with a precise explanation of the issues.
It was truly informative. Your website is very useful. Thanks for
sharing!
I am glad it was useful to you.