HttpOnly flag – protects cookies from XSS attacks

Mobile 2023-06-12 01:42:09 views: null

1. What is HttpOnly?

        If you set the HttpOnly attribute in the cookie, the cookie information cannot be read through the js script , and the cookie can only be obtained through http.

        If a browser that supports HttpOnly detects a cookie containing the HttpOnly flag, and client script code attempts to read that cookie, the browser will return an empty string as a result. This makes the attack fail by preventing malicious code (usually XSS) from sending data to the attacker's website.

Cross-site scripting (XSS) attacks are often aimed at stealing session cookies.

        In this attack, the cookie value is accessed by a client-side script using JavaScript (document.cookie) . However, in everyday use, web applications rarely need to access cookies through JavaScript. Therefore, a method to prevent cookies from being stolen was devised: a flag that tells web browsers that cookies can only be accessed through HTTP - the HttpOnly flag.

        The HttpOnly flag is not new. It was first implemented in Microsoft Internet Explorer 6 SP1 in 2002 to prevent sensitive information from being stolen. Currently, every major browser supports HttpOnly cookies.

How does HttpOnly work?

        The HttpOnly attribute is an optional attribute of the Set-Cookie HTTP response header, which is sent by the web server to the web browser along with the web page in the HTTP response. Here is an example of setting a session cookie using the Set-Cookie header:

HTTP/2.0 200 OK Content-Type: text/html Set-Cookie: sessionid=QmFieWxvbiA1

        The session cookie above is not protected and can be stolen in an XSS attack. However, accessing it with JavaScript can be prevented if the session cookie is set as follows:

Set-Cookie: sessionid=QmFieWxvbiA1; HttpOnly

How to set HttpOnly server side?

        All modern backend languages ​​and environments support setting the HttpOnly flag. Here's an example of how to do it in PHP using the setcookie function:

setcookie("sessionid", "QmFieWxvbiA1", ['httponly' => true]);

        The last value (true) means setting the HttpOnly attribute.

Other Signs of Secure Cookies

        The HttpOnly flag is not the only flag you can use to protect cookies. There are two more useful methods here.

Secure flag
        The secure flag is used to declare that the cookie may only be sent using a secure connection (SSL/HTTPS). If this cookie is set, the browser will never send it if the connection is HTTP. This flag prevents cookie theft via man-in-the-middle attacks.

        Note that this flag can only be set during HTTPS connections. If it is set during an HTTP connection, it will be ignored by the browser.

        .....

Reference article:

HttpOnly Flag – Protect Cookies from XSS Attacks - Web Security

https://www.cnblogs.com/softidea/p/6040260.html

What the hell is HttpOnly? - Programmer Sought

The usage and purpose of HttpOnly in Cookie

Guess you like

Origin blog.csdn.net/liuqinhou/article/details/131061143
Recommended
NetBSD bans submission of code generated by AI
Ranking
Talk dubbo of LRUCache
Chapter 1 Learning Summary
Introduction to Virtualization
pytorch 调用lstm
Six modules
[8086] The natural number of 1 to 36 into a 6x6 two-dimensional array of line-sequentially, and then print out the lower left half of the triangular array
mybatis mapper mapping file $ # {} {} understanding and
C language input and output buffer
c language floating-point input and output
andorid P version compatible, refer to Huawei
Daily
More
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)

Code World

© 2018 codetd.com