Secure cookies HttpOnly against XSS with Apache

Posted under » Apache » LAMP Security on 07 October 2014

Cross-site scripting or XSS carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec (2007). One type of XSS particularly target cookies.

For LAMP servers, you can secure your cookies by either altering your PHP.ini or Apache config. However, I suggest you do it with Apache which is the easiest and most effective.

This requires the header module. so

ln -s /etc/apache2/mods-available/headers.load /etc/apache2/mods-enabled/headers.load

Add following entry in httpd.conf. For 2.4.7 and later, please add to /conf-available/security.conf

Header edit Set-Cookie ^(.*)$ $1;HttpOnly

For Apache version lower than 2.2.4, use this.

Header set Set-Cookie HttpOnly

Some may prefer to put the "secure" option but it will break some of your apps. Drupal for example is one of them so I omit this. It require the server to be running SSL

web security linux ubuntu python django git Raspberry apache mysql php drupal cake javascript css AWS data