Estimated reading time: 3 minutes
The HttpOnly and Secure flags are security attributes that can be set on cookies in HTTP response headers to enhance web application security. They help mitigate cross-site scripting (XSS) attacks, session hijacking, and man-in-the-middle (MITM) attacks.
1. HttpOnly Flag
Definition:
The HttpOnly attribute prevents client-side JavaScript from accessing a cookie. This mitigates the risk of session theft via XSS attacks.
How It Works:
- When a cookie is marked as
HttpOnly, it cannot be accessed viadocument.cookiein JavaScript. - It is still sent with every HTTP request to the same origin.
Example: Setting an HttpOnly Cookie in an HTTP Response
Set-Cookie: sessionID=abc123; HttpOnly
Security Benefits:
- Prevents XSS attacks from stealing session cookies.
- Ensures cookies are only accessible by the server, not client-side scripts.
Bypassing HttpOnly (Attack Perspective)
- Although
HttpOnlyprotects against JavaScript-based attacks, an attacker could still steal cookies via Cross-Site Request Forgery (CSRF) or network traffic sniffing (ifSecureis not set).
2. Secure Flag
Definition:
The Secure attribute ensures that a cookie is only sent over HTTPS connections. This prevents attackers from intercepting cookies over unencrypted HTTP connections.
How It Works:
- When a cookie is marked as
Secure, it will not be transmitted over an insecure HTTP connection. - It is only sent over HTTPS.
Example: Setting a Secure Cookie in an HTTP Response
Set-Cookie: sessionID=abc123; Secure
Security Benefits:
- Protects against MITM (Man-in-the-Middle) attacks where cookies could be stolen over an insecure HTTP connection.
- Ensures sensitive cookies (e.g., session tokens) are only transmitted securely.
Bypassing Secure (Attack Perspective)
- If an attacker forces a victim to make a request over HTTP (e.g., via an insecure link), the cookie will not be sent to the server.
- However, if
Secureis missing and HTTP is allowed, an attacker could steal the session via MITM attacks.
3. Using HttpOnly and Secure Together
For maximum security, both HttpOnly and Secure should be set on sensitive cookies:
Set-Cookie: sessionID=abc123; HttpOnly; Secure
Why Use Both?
| Flag | Protection Against | Limitations |
|---|---|---|
HttpOnly | Prevents XSS from stealing cookies | Does not protect against MITM |
Secure | Prevents MITM attacks on cookies | Does not prevent XSS attacks |
4. Additional Security Enhancements
To further strengthen cookie security, consider using:
SameSite=Strict→ Prevents CSRF attacks by restricting cross-site requests.Secure+ HSTS (HTTP Strict Transport Security) → Ensures HTTPS is always used.HttpOnly+ CSP (Content Security Policy) → Mitigates XSS attacks more effectively.
Example: Fully Secure Cookie
Set-Cookie: sessionID=abc123; HttpOnly; Secure; SameSite=Strict
This ensures:
– No JavaScript access (HttpOnly)
– Only sent over HTTPS (Secure)
– Prevents CSRF (SameSite=Strict)
Conclusion
HttpOnlyprevents XSS-based cookie theft.Secureensures cookies are only sent over HTTPS.- Use both together to enhance session security and protect against MITM, XSS, and CSRF attacks.