XSS is a cross-site scripting attack, in which the attacker embeds JavaScript scripts in the returned HTML.
Prevent XSS attacks
Configure on the HTTP header, set-cookie
has two attributes to prevent XSS attacks
- httponly-: This attribute can prohibit JavaScript from accessing cookies, so it can protect cookies from being acquired by embedded malicious code.
- secure -: This attribute tells the client browser to send cookies only when requested on https
Such as:
response.setHeader("Set-Cookie", "cookiename=httponlyTest;Path=/;Domain=domainvalue;Max-Age=seconds;HTTPOnly");