Implement cookie HTTP header flag with HTTPOnly & Secure to protect website from XSS attacks
Without having HttpOnly and Secure flag in HTTP response header, it is possible to steal or manipulate web application session and cookies.
It’s better to manage this within the web application’s code. However, not all web applications have it implemented.
There are two optional settings each cookie can have set which largely address these issues: HttpOnly means that the cookies should not be accessible from client side scripts and Secure means that the cookie should only be sent across HTTPS requests.
Edit your Apache configuration file
/etc/apache2/httpd.conf and add the following to your VirtualHost:
# Load the headers module LoadModule headers_module modules/mod_headers.so <VirtualHost *:443> # Secure Cookies Header always edit Set-Cookie ^(.*)$ "$1;HttpOnly;Secure" </VirtualHost>
[root@nowherelan]# systemctl reload httpd.service
My System Configuration
- CentOS 7
- Apache 2.4