Securing Apache, Tip#4: Helping Protect Cookies with HTTPOnly Flag

If you are unfamiliar with what the HTTPOnly cookie flag is or why your web apps should use it, please refer to the following resources –

The bottom line is this – while this cookie option flag does absolutely nothing to prevent XSS attacks (this should be done at webapp code level), it does significanly help to prevent the #1 XSS attack goal which is stealing SessionIDs.  In other words, without having HttpOnly flag in HTTP response header, it is possible to steal or manipulate web application session and cookies.

Implementation in Apache configuration (valid for all content server by Apache)

  1. Ensure you have mod_headers enabled in Apache
  2. Add following entry at the end of your httpd.conf
    Header edit Set-Cookie "(?i)^((?:(?!;\s?HttpOnly).)+)$" "$1; HttpOnly"
  3. Restart Apache

Implementation in php.ini  (valid only for PHP served web applications)

  1. Add the following line to your /etc/php.ini
    session.cookie_httponly = 1

IMPORTANT: As of January, 2013 an Apache bug was reported affecting versions from 2.2.0 to 2.2.21 during construction of Bad Request (aka 400) error documents, which allows remote attackers to obtain the values of HTTPOnly cookies via vectors involving a long or malformed header in conjunction with crafted web script. You should upgrade up to Apache 2.2.22 to overcome this issue. More info at Apache httpOnly Cookie Disclosure

See other tips:

Securing Apache, Tip #1: Minimize banner information

Securing Apache, Tip#2: PHP display_errors

Securing Apache, Tip#3: Restrict file extensions


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s