Additional menu

Secure cookie with HttpOnly and Secure flag in Apache

Secure cookie with HttpOnly and Secure flag in Apache

Implement cookie HTTP header flag with HTTPOnly & Secure to protect website from XSS attacks

Do you know you can mitigate most common XSS attacks using HttpOnly and Secure flag with your cookie?

XSS is dangerous. By looking at increasing number of XSS attack on a daily basis, you must consider securing your web applications.

Without having HttpOnly and Secure flag in HTTP response header, it is possible to steal or manipulate web application session and cookies.

It’s better to manage this within application code. However, due to developers’ unawareness, it comes to Web Server administrators.

I will not talk about how to set these at the code level. You can refer here.

Implementation Procedure in Apache

1.     Ensure you have mod_headers.so enabled in Apache HTTP server

2.     Add following entry in httpd.conf

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

3.     Restart Apache HTTP server to test

Note: Header edit is not compatible with lower than Apache 2.2.4 version.

You can use the following to set HttpOnly and Secure flag in lower than 2.2.4 version. Thanks to Ytse for sharing this information.

Header set Set-Cookie HttpOnly;Secure

Verification

You can either leverage browser’s inbuilt developer tools to check the response header or use online tool.

Did it help?

This is one of the many hardening things to do in Apache. And, the best approach to perform a regular scan against your web applications to find security vulnerabilities.

Reader Interactions

Chandan Kumar
About Chandan
Chandan Kumar is the founder and editor of Geek Flare. Learn more here and connect with him on Twitter.

Comments

  1. This has caused our server to issue multiple httponly and secure flags on one cookie.

    Set-Cookie: JSESSIONID = A32E0EAFB76ABC5BADD08DF93764B666; path=/clin-rcil;Secure;HttpOnly;HttpOnly;HttpOnly;Secure

    Any thoughts? I think we are version 2.2.9, still waiting to confirm.

  2. Hi, thanks for this easy to understand guide.

    But I think, marking ALL cookies per default as HttpOnly is a bad choice. There are some cases that we want to send both HttpOnly and not HttpOnly cookies. For example in case of sending XSRF Token to the client. To avoid XSRF attacks, client code should explicitly add received XSRF Token into header. If XSRF Token value were in a HttpOnly cookie, client code cannot access this value.

  3. Hello in my environment, I am using Apache 2.4.12.

    If I use, Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure, it is not working..
    can u please share any info to edit the existing cookie on this apache version.

    If I use “Header set Set-Cookie HttpOnly;Secure”. It is adding another cookie with the attributes HttpOnly & secure.
    Ex:
    Set-Cookie: MY_APPLICATION_NAME=en_US; expires=Fri, 06-May-2016 08:20:46 GMT
    Set-Cookie: HttpOnly;Secure
    So when I scan my application for security vulnerability, I still see this as vulnerability.

  4. Hello

    I have set this but php session is not working, php session is restart when page refresh or reload.

    And I use the Yii 1.0 ,so do u have some advice about this? thx

  5. HTTP/1.1 200 OK
    Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Content-Type: text/html; charset=UTF-8
    Date: sun, 20 mar 2016 12:24:59 GMT
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Link: ; rel=”\\/”
    Link: ; rel=shortlink
    Pragma: no-cache
    Server: Apache
    Set-Cookie: PHPSESSID=########################; path=/
    Set-Cookie: AWSELB=##################################;PATH=/
    X-Frame-Options: SAMEORIGIN
    X-Powered-By: PHP/5.6.16
    X-XSS-Protection: 1; mode=block
    Connection: keep-alive

    my website has not enabled httponly but in the header field you can seeX-XSS-Protection: 1; mode=block.

    So my question here is
    1)X-XSS-Protection: 1; mode=block but http only is not enabled . is it prone to xss

  6. I am using apache 2.2.3, how do I search mod_headers.so file as I tried to find it but unable to trace.
    1. If I do not get this file then where do I make the suggested changes.
    2. Can I implement the suggested changes in a running server? If yes, what precaution should I need to take care?

  7. Hi Chandan,
    I am working on a new application, in development phase we have not configured any DNS URL and directly accessing it via Web server. In short, we are using http not https while accessing application. Now, what I have observed is that if I use setting to use both httpOnly & Secure as “Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure” application throws 500 error and causing login error issue. If Secure is disabled and only “Header edit Set-Cookie ^(.*)$ $1;HttpOnly” its working fine.
    Can you suggest or confirm if the issue will not be observed incase we use DNS URL with https protocol ? This will help us for later stages in application launch phases.

    Regards,
    Deepak.

  8. Thanks for the informative writing…. I was completely new to this, can u pls help me how could we define the same for a specific cookie? i.e, authentication/authorization of a apache cookie, not sure if my question was clear. thanks in advance.

  9. Hi, If we apply “Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure” in apache level your application JSESSION_ID will be vanished ..
    Please suggest any additional configurations required to get JSESSION_ID ?

  10. Hi, will this still work if the session to the servers is non-SSL. So SSL if offloaded (ssl-termination) on the load-balancers and from there it is non-encrypted to the Apache servers.

  11. Hi,

    We are running Apache/2.2.17 (Unix)

    Please let me know how to check
    mod_headers.so enabled ?

    How to enable cookie in version 2.2.17 ?

    Thanks

    • Hello Rajesh,

      1. Search for mod_headers.so in httpd.conf file and if it’s not commented then it’s enabled.

      2. Use below cde in 2.2 version

      Header set Set-Cookie HttpOnly;Secure

  12. Hello

    I have set this but php session is not working, php session is restart when page refresh or reload.

  13. Everything is very open with a precise explanation of the issues.
    It was truly informative. Your website is very useful. Thanks for
    sharing!

Leave a Reply

Your email address will not be published. Required fields are marked *