Apache HTTPOnly and Secure Cookie

Apache HTTP ServerHaving HTTPOnly and Secure in HTTP response header can help to protect your web applications from cross-site scripting and session manipulation attacks. Here is how to configure HTTPOnly Secure Cookie Attribute in Apache.

Enabling HTTPOnly Secure Cookie in Apache

1.     Ensure you have mod_headers.so enabled in Apache instance:


or on RHEL,CentoS, Fedora:

2.     Add following entry in httpd.conf

3.     Restart Apache Web Server

Note: Header edit is not compatible with lower than Apache 2.2.4 version. You can use following to set HttpOnly and Secure flag in lower than 2.2.4 version. Thanks to Ytse for sharing this information.

Verify HTTPOnly Secure Cookie

To verify that changes have been applied you can use “Developer Tools” in Chrome or Firefox to examine the request headers.

Want me to do this for you? Drop me a line: itgalaxyzzz {at} gmail [point] com