Secure cookies in Apache


Implement cookie HTTP header flag with HTTPOnly & Secure to protect website from XSS attacks


Without having HttpOnly and Secure flag in HTTP response header, it is possible to steal or manipulate web application session and cookies.

It’s better to manage this within the web application’s code. However, not all web applications have it implemented.

There are two optional settings each cookie can have set which largely address these issues: HttpOnly means that the cookies should not be accessible from client side scripts and Secure means that the cookie should only be sent across HTTPS requests.

Edit your Apache configuration file/etc/apache2/httpd.conf and add the following to your VirtualHost:

# Load the headers module
LoadModule headers_module modules/

<VirtualHost *:443>
    # Secure Cookies
    Header always edit Set-Cookie ^(.*)$ "$1;HttpOnly;Secure"

Reload Apache

[root@nowherelan]# systemctl reload httpd.service

My System Configuration

  • CentOS 7
  • Apache 2.4


Leave a Reply

Your email address will not be published. Required fields are marked *