Objective
Implement cookie HTTP header flag with HTTPOnly & Secure to protect website from XSS attacks
Solution
Without having HttpOnly and Secure flag in HTTP response header, it is possible to steal or manipulate web application session and cookies.
It’s better to manage this within the web application’s code. However, not all web applications have it implemented.
There are two optional settings each cookie can have set which largely address these issues: HttpOnly means that the cookies should not be accessible from client side scripts and Secure means that the cookie should only be sent across HTTPS requests.
Edit your Apache configuration file/etc/apache2/httpd.conf
and add the following to your VirtualHost:
# Load the headers module
LoadModule headers_module modules/mod_headers.so
<VirtualHost *:443>
# Secure Cookies
Header always edit Set-Cookie ^(.*)$ "$1;HttpOnly;Secure"
</VirtualHost>
Reload Apache
[root@nowherelan]# systemctl reload httpd.service
My System Configuration
- CentOS 7
- Apache 2.4