If you are unfamiliar with what the HTTPOnly cookie flag is or why your web apps should use it, please refer to the following resources –
- Mitigating Cross-site Scripting With HTTP-only Cookies – http://msdn.microsoft.com/en-us/library/ms533046.aspx
- OWASP HTTPOnly Overview – http://www.owasp.org/index.php/HTTPOnly
The bottom line is this – while this cookie option flag does absolutely nothing to prevent XSS attacks (this should be done at webapp code level), it does significanly help to prevent the #1 XSS attack goal which is stealing SessionIDs. In other words, without having HttpOnly flag in HTTP response header, it is possible to steal or manipulate web application session and cookies.
Implementation in Apache configuration (valid for all content server by Apache)
- Ensure you have mod_headers enabled in Apache
- Add following entry at the end of your httpd.conf
Header edit Set-Cookie "(?i)^((?:(?!;\s?HttpOnly).)+)$" "$1; HttpOnly"
- Restart Apache
Implementation in php.ini (valid only for PHP served web applications)
- Add the following line to your /etc/php.ini
session.cookie_httponly = 1
IMPORTANT: As of January, 2013 an Apache bug was reported affecting versions from 2.2.0 to 2.2.21 during construction of Bad Request (aka 400) error documents, which allows remote attackers to obtain the values of HTTPOnly cookies via vectors involving a long or malformed header in conjunction with crafted web script. You should upgrade up to Apache 2.2.22 to overcome this issue. More info at Apache httpOnly Cookie Disclosure
See other tips: