Secure cookie with HttpOnly and Secure flag in Apache

secure-apache
Apache Security

Do you know you can mitigate most common XSS attack using HttpOnly and Secure flag with your cookie? XSS is dangerous, very dangerous. By looking at increasing number of XSS attack on daily basis, you must secure you web applications.

Without having HttpOnly and Secure flag in HTTP response header, it is possible to steal or manipulate web application session and cookies. It’s good practice to set HttpOnly and Secure flag in application code by developers. However, due to bad programming or developers’ unawareness it comes to Web Infrastructures.

I will not talk about how to set these at code level. You can refer here.

While performing security test on web applications, it’s expected that you will have to fix these to pass the penetration test. This is how you can fix these in Apache Web Server.

Implement in Apache:

1.     Ensure you have mod_headers.so enabled in Apache instance

2.     Add following entry in httpd.conf

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

3.     Restart Apache Web Server

Note: Header edit is not compatible with lower than Apache 2.2.4 version. You can use following to set HttpOnly and Secure flag in lower than 2.2.4 version. Thanks to Ytse for sharing this information.

Header set Set-Cookie HttpOnly;Secure

Verification:

Open your website with HTTP Watch, Live HTTP Header or HTTP Header Online tool.

Check HTTP response header, you should see as highlighted

Cookie Httponly Secure

 

Originally posted by : http://chandank.com/webservers/apache/httponly-secure-cookie-apache

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s