2

I'm hosting a number of sites on a single VPS (Debian Jessie, Apache 2.4). One of these sites forces HTTPS. On this and only this site, I would like to set the "Secure Flag" for cookies. I've found loads of resources explaining how to do this for all sites hosted on a server via the apache2.conf file, like this:

LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

But I want Apache to apply this header rewrite only to the one HTTPS site. How do I do that?

David Makogon
  • 2,768
  • 1
  • 20
  • 29
kittykittybangbang
  • 131
  • 1
  • 1
  • 6
  • Did you consider .htaccess? http://www.askapache.com/htaccess/htaccess-fresh.html#Cookie_Manipulation_Tests_mod_rewrite – JayMcTee Jun 06 '16 at 15:31
  • @JayMcTee I'm disinclined toward htaccess b/c I'm under the impression that it's a less secure way to configure a site - although I don't fully understand why. Thoughts? – kittykittybangbang Jun 06 '16 at 17:05
  • It's all as secure as you configure it to be. But you can achieve it in the vhost config too. – JayMcTee Jun 07 '16 at 18:43
  • @JayMcTee _Can_ I do it in the vhost?? That's what I want!! -- but I can't find how to go about doing so. Is it as simple as putting the above lines in the `/etc/apache2/sites-available/site.com.conf` file?? Or is there something else I'm missing? – kittykittybangbang Jun 08 '16 at 13:53

1 Answers1

1

Thanks to @JayMcTee's comments, I was able to stumble upon the answer.

To apply the settings to one specific virtual host, simply add the same lines you would to your apache2.conf file: 

LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

...to within your virtual host block. For example:

<IfModule mod_ssl.c>
<VirtualHost *:443>
  ServerAdmin email@domain.com
  ServerName  domain.com
  ServerAlias www.domain.com

  DirectoryIndex index.html index.php
  DocumentRoot /var/www/domain.com/public_html

  ...

  LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
  Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

</VirtualHost>
</IfModule>

Then restart Apache (service apache2 restart).

kittykittybangbang
  • 131
  • 1
  • 1
  • 6