Having HTTPOnly and Secure in HTTP response header can help to protect your web applications from cross-site scripting and session manipulation attacks. Here is how to configure HTTPOnly Secure Cookie Attribute in Apache.
Enabling HTTPOnly Secure Cookie in Apache
1. Ensure you have mod_headers.so enabled in Apache instance:
|
1 |
apachectl -M |
or:
|
1 |
apachectl -t -D DUMP_MODULES |
or on RHEL,CentoS, Fedora:
|
1 |
httpd -M |
2. Add following entry in httpd.conf
|
1 |
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure |
3. Restart Apache Web Server
Note: Header edit is not compatible with lower than Apache 2.2.4 version. You can use following to set HttpOnly and Secure flag in lower than 2.2.4 version. Thanks to Ytse for sharing this information.
|
1 |
Header set Set-Cookie HttpOnly;Secure |
Verify HTTPOnly Secure Cookie
To verify that changes have been applied you can use “Developer Tools” in Chrome or Firefox to examine the request headers.
