Secure cookie with HttpOnly and Secure flag in Apache

Netsparker Web Application Security Scanner - the only solution that delivers automatic verification of vulnerabilities with Proof-Based Scanning™.

Implement cookie HTTP header flag with HTTPOnly & Secure to protect a website from XSS attacks

Do you know you can mitigate most common XSS attacks using HttpOnly and Secure flag with your cookie?

XSS is dangerous. By looking at an increasing number of XSS attacks daily, you must consider securing your web applications.

Without having HttpOnly and Secure flag in the HTTP response header, it is possible to steal or manipulate web application sessions and cookies.

It’s better to manage this within the application code. However, due to developers’ unawareness, it comes to Web Server administrators.

I will not talk about how to set these at the code level. You can refer here.

Implementation Procedure in Apache

Ensure you have mod_headers.so enabled in Apache HTTP server
Add following entry in httpd.conf

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

Restart Apache HTTP server to test

Note: Header edit is not compatible with lower than Apache 2.2.4 version.

You can use the following to set the HttpOnly and Secure flag in lower than 2.2.4 version. Thanks to Ytse for sharing this information.

Header set Set-Cookie HttpOnly;Secure

Verification

You can either leverage the browser’s inbuilt developer tools to check the response header or use an online tool.

Did it help?

This is one of the many hardening things to do in Apache.

Power Your Business

Netsparker

Netsparker uses the Proof-Based Scanning™ to automatically verify the identified vulnerabilities with proof of exploit, thus making it possible to scan thousands of web applications and generate actionable results within just hours.

Try Netsparker

Kinsta

Probably the best managed WordPress cloud platform to host small to enterprise sites. Kinsta leverages Google's low latency network infrastructure to deliver content faster. Free SSL, CDN, backup and a lot more with outstanding support. You'll love it.

Try Kinsta

Sucuri

A global CDN and cloud-based web application firewall for your website to supercharge the performance and secure from online threats. SUCURI WAF protects from OWASP top 10 vulnerabilities, brute force, DDoS, malware, and more.

Try Sucuri

Secure cookie with HttpOnly and Secure flag in Apache

Implementation Procedure in Apache

Verification

Thanks to our sponsors.

Power Your Business

Choosing the right product and service is essential to run an online business. Here are some of the tools and services to help your business grow.

Netsparker

Kinsta

Sucuri

Secure cookie with HttpOnly and Secure flag in Apache

Implementation Procedure in Apache

Verification

Thanks to our sponsors.

More Great Reading on Geekflare

How to Learn Web Application security?

Nmap installation on Linux with Real-time Usage Examples

Cybersecurity, Data Privacy, Cloud Storage, Ransomware, DevOps, and AI – September Week 2 is High on Technology

Don’t Forget to Setup SPF, DKIM and DMRAC for better Email Delivery

List of SPF Records from Popular Email Hosting Provider

How to Protect Page with Password in Apache, Nginx, WordPress, Hosting?

Power Your Business

Choosing the right product and service is essential to run an online business. Here are some of the tools and services to help your business grow.

Netsparker

Kinsta

Sucuri