{"id":74,"date":"2025-03-12T06:14:24","date_gmt":"2025-03-12T06:14:24","guid":{"rendered":"http:\/\/racrx.io\/?p=74"},"modified":"2025-03-23T14:12:18","modified_gmt":"2025-03-23T14:12:18","slug":"httponly-secure-http-headers","status":"publish","type":"post","link":"https:\/\/racrx.io\/?p=74","title":{"rendered":"HttpOnly &amp; Secure HTTP Headers"},"content":{"rendered":"\n<p>The <strong><code>HttpOnly<\/code><\/strong> and <strong><code>Secure<\/code><\/strong> flags are security attributes that can be set on <strong>cookies<\/strong> in HTTP response headers to enhance web application security. They help <strong>mitigate cross-site scripting (XSS) attacks, session hijacking, and man-in-the-middle (MITM) attacks<\/strong>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>1. <code>HttpOnly<\/code> Flag<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Definition:<\/strong><\/h3>\n\n\n\n<p>The <code>HttpOnly<\/code> attribute prevents <strong>client-side JavaScript<\/strong> from accessing a cookie. This mitigates the risk of <strong>session theft via XSS attacks<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>How It Works:<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>When a cookie is marked as <code>HttpOnly<\/code>, it <strong>cannot<\/strong> be accessed via <code>document.cookie<\/code> in JavaScript.<\/li>\n\n\n\n<li>It is still <strong>sent with every HTTP request<\/strong> to the same origin.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Example: Setting an <code>HttpOnly<\/code> Cookie in an HTTP Response<\/strong><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>Set-Cookie: sessionID=abc123; HttpOnly<br><\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Security Benefits:<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Prevents <strong>XSS attacks<\/strong> from stealing session cookies.<\/li>\n\n\n\n<li>Ensures cookies are only accessible by the <strong>server<\/strong>, not client-side scripts.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Bypassing <code>HttpOnly<\/code> (Attack Perspective)<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Although <code>HttpOnly<\/code> <strong>protects against JavaScript-based attacks<\/strong>, an attacker could still steal cookies via <strong>Cross-Site Request Forgery (CSRF)<\/strong> or <strong>network traffic sniffing<\/strong> (if <code>Secure<\/code> is not set).<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>2. <code>Secure<\/code> Flag<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Definition:<\/strong><\/h3>\n\n\n\n<p>The <code>Secure<\/code> attribute ensures that a cookie is <strong>only sent over HTTPS connections<\/strong>. This prevents attackers from intercepting cookies over unencrypted HTTP connections.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>How It Works:<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>When a cookie is marked as <code>Secure<\/code>, it will <strong>not be transmitted<\/strong> over an insecure <strong>HTTP<\/strong> connection.<\/li>\n\n\n\n<li>It is only sent over <strong>HTTPS<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Example: Setting a <code>Secure<\/code> Cookie in an HTTP Response<\/strong><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>Set-Cookie: sessionID=abc123; Secure<br><\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Security Benefits:<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Protects against <strong>MITM (Man-in-the-Middle) attacks<\/strong> where cookies could be stolen over an insecure HTTP connection.<\/li>\n\n\n\n<li>Ensures sensitive cookies (e.g., <strong>session tokens<\/strong>) are only transmitted securely.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Bypassing <code>Secure<\/code> (Attack Perspective)<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If an attacker <strong>forces a victim<\/strong> to make a request over HTTP (e.g., via an insecure link), the cookie <strong>will not be sent<\/strong> to the server.<\/li>\n\n\n\n<li><strong>However<\/strong>, if <code>Secure<\/code> is missing and HTTP is allowed, an attacker could <strong>steal the session<\/strong> via MITM attacks.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>3. Using <code>HttpOnly<\/code> and <code>Secure<\/code> Together<\/strong><\/h2>\n\n\n\n<p>For <strong>maximum security<\/strong>, both <code>HttpOnly<\/code> and <code>Secure<\/code> should be set on sensitive cookies:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>Set-Cookie: sessionID=abc123; HttpOnly; Secure<br><\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Why Use Both?<\/strong><\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Flag<\/th><th>Protection Against<\/th><th>Limitations<\/th><\/tr><\/thead><tbody><tr><td><code>HttpOnly<\/code><\/td><td>Prevents XSS from stealing cookies<\/td><td>Does not protect against MITM<\/td><\/tr><tr><td><code>Secure<\/code><\/td><td>Prevents MITM attacks on cookies<\/td><td>Does not prevent XSS attacks<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>4. Additional Security Enhancements<\/strong><\/h2>\n\n\n\n<p>To further strengthen <strong>cookie security<\/strong>, consider using:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong><code>SameSite=Strict<\/code><\/strong> \u2192 Prevents CSRF attacks by restricting cross-site requests.<\/li>\n\n\n\n<li><strong><code>Secure<\/code> + HSTS (HTTP Strict Transport Security)<\/strong> \u2192 Ensures HTTPS is always used.<\/li>\n\n\n\n<li><strong><code>HttpOnly<\/code> + CSP (Content Security Policy)<\/strong> \u2192 Mitigates XSS attacks more effectively.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Example: Fully Secure Cookie<\/strong><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>Set-Cookie: sessionID=abc123; HttpOnly; Secure; SameSite=Strict<br><\/code><\/pre>\n\n\n\n<p>This ensures: <br>&#8211; <strong>No JavaScript access (<code>HttpOnly<\/code>)<\/strong><br><strong>&#8211; Only sent over HTTPS (<code>Secure<\/code>)<\/strong><br><strong>&#8211; Prevents CSRF (<code>SameSite=Strict<\/code>)<\/strong><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Conclusion<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>HttpOnly<\/code> <strong>prevents XSS-based cookie theft<\/strong>.<\/li>\n\n\n\n<li><code>Secure<\/code> <strong>ensures cookies are only sent over HTTPS<\/strong>.<\/li>\n\n\n\n<li><strong>Use both together<\/strong> to enhance session security and protect against <strong>MITM, XSS, and CSRF<\/strong> attacks.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>The HttpOnly and Secure flags are security attributes that can be set on cookies in HTTP response headers to enhance web application security. They help&hellip; <a href=\"https:\/\/racrx.io\/?p=74\" class=\"apace-readmore-link\"><span class=\"screen-reader-text\">HttpOnly &amp; Secure HTTP Headers<\/span>Read more<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-74","post","type-post","status-publish","format-standard","hentry","category-web-stuff"],"_links":{"self":[{"href":"https:\/\/racrx.io\/index.php?rest_route=\/wp\/v2\/posts\/74","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/racrx.io\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/racrx.io\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/racrx.io\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/racrx.io\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=74"}],"version-history":[{"count":5,"href":"https:\/\/racrx.io\/index.php?rest_route=\/wp\/v2\/posts\/74\/revisions"}],"predecessor-version":[{"id":210,"href":"https:\/\/racrx.io\/index.php?rest_route=\/wp\/v2\/posts\/74\/revisions\/210"}],"wp:attachment":[{"href":"https:\/\/racrx.io\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=74"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/racrx.io\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=74"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/racrx.io\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=74"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}