Secure cookie with HttpOnly and Secure flag in Apache

Secure Apache Web Server from XSS Attack

Do you know you can mitigate most common XSS attack using HttpOnly and Secure flag with your cookie? XSS is dangerous, very dangerous. By looking at increasing number of XSS attack on daily basis, you must secure you web applications.

Without having HttpOnly and Secure flag in HTTP response header, it is possible to steal or manipulate web application session and cookies. It’s good practice to set HttpOnly and Secure flag in application code by developers. However, due to bad programming or developers’ unawareness it comes to Web Infrastructures.

I will not talk about how to set these at code level. You can refer here.

While performing security test on web applications, it’s expected that you will have to fix these to pass the penetration test. This is how you can fix these in Apache Web Server.

Implement in Apache:

1.     Ensure you have mod_headers.so enabled in Apache instance

2.     Add following entry in httpd.conf

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

3.     Restart Apache Web Server

Note: Header edit is not compatible with lower than Apache 2.2.4 version. You can use following to set HttpOnly and Secure flag in lower than 2.2.4 version. Thanks to Ytse for sharing this information.

Header set Set-Cookie HttpOnly;Secure

Verification:

Open your website with HTTP Watch, Live HTTP Header or HTTP Header Online tool.

Check HTTP response header, you should see as highlighted