Questions tagged [httponly]

HttpOnly is a flag in the cookie header to hide data from JavaScript

HttpOnly is a flag in the cookie header, indicating that the browser should hide this cookie from JavaScript and only use it for HTTP and HTTPS requests.

Important Note

HttpOnly just makes exploiting XSS vulnerabilities a little more difficult. It does not provide protection against XSS.

External Links

294 questions

votes

4 answers

Turn off HttpOnly Spring boot

I would like to turn off HttpOnly sessions which I believe are default for Spring Boot. How would I turn off HttpOnly on spring boot? I currently have code such as: @RequestMapping(value = "/stuff", method = GET) public @ResponseBody myObject…

asked Mar 15 '14 at 18:50

Nick Humrich

14,905
8
62
85

votes

0 answers

How to set HttpOnly and Secure flags on GA cookies which managed by Google Tag Manager?

My Project use Google Tag Manager(GTM) to manager my google analytic(GA) code. Now, for some reasons, I need to add 'httponly' and 'secure' flags on cookies which GA generated, but I don't know how to do that.

cookies httponly

asked Feb 29 '16 at 09:35

Ming Sun

votes

1 answer

Setting 'HttpOnly' and 'Secure' in web.xml

I need to have the 'HttpOnly' and 'Secure' attributes set to 'true' to prevent the CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute and CWE-402: Transmission of Private Resources into a New Sphere flaws from showing in the…

security session cookies web.xml httponly

asked Jun 14 '17 at 19:19

EH Khiari

votes

3 answers

how to set httponly and session cookie for java web application

I am working on an XSS (cross site scripting) issue. My application runs on an Oracle Weblogic portal. We use Servlet version 2.5. I have added the below 3 lines of code in the filter for setting httponly and secure cookies, and it is working…

java security xss httponly

asked Mar 19 '13 at 21:01

Kiran

votes

3 answers

Django CSRF cookie HttpOnly

Is it possible to set the django csrf cookie to be http-only? Alike to SESSION_COOKIE_HTTPONLY with session cookie, but for the csrf one?

django csrf httponly

asked Jun 02 '12 at 11:01

Mark

18,730
7
107
130

votes

6 answers

How exactly do you configure httpOnly Cookies in ASP Classic?

I'm looking to implement httpOnly in my legacy ASP classic sites. Anyone knows how to do it?

security asp-classic httponly

asked Sep 10 '08 at 20:49

Eduardo Molteni

38,786
23
141
206

votes

2 answers

How do you remove HttpOnly cookies?

If my application places HttpOnly cookies on a client and then needs to remove them how can you remove them completely?

c# asp.net cookies httponly

asked Oct 07 '10 at 22:18

Chris Marisic

32,487
24
164
258

votes

2 answers

Setting httponly in JSESSIONID cookie (Java EE 5)

I'm trying to set the httponly flag on the JSESSIONID cookie. I'm working in Java EE 5, however, and can't use setHttpOnly(). First I tried to create my own JSESSIONID cookie from within the servlet's doPost() by using response.setHeader(). When…

java servlets cookies httponly jsessionid

asked Jun 07 '10 at 19:29

Mythandros

votes

1 answer

Is HttpOnly necessary when SSL is already set?

If I already set SSL for my application server, do I still need to set HttpOnly for the cookies?

security ssl httponly

asked Dec 23 '11 at 03:05

ysp80

votes

3 answers

Set httpOnly flag for CSRF token in Laravel

I'm building an application in Laravel 5.1 for a client. After I finished the application I got back an pentest report which tells me to add a HttpOnly flag. I added 'secure' => true and 'http_only' => true to app/config/session.php. The…

php csrf laravel-5.1 httponly

asked Nov 23 '15 at 12:02

Guido Rus

votes

1 answer

How to secure private routes in SPA while using httpOnly cookies

I'd like to secure my SPA private routes with JWT authentication. To make everything as much secure as it's possible, I wanted to use httpOnly cookie to store my access_token on the client-side. Using httpOnly cookies protect me a lot from XSS…

authentication cookies local-storage jwt httponly

asked Aug 07 '18 at 08:44

sarneeh

1,320
1
12
27

votes

2 answers

Is there a way to check if a cookie is httponly in PHP

Is there a way to check if the cookie is httponly in php?

php cookies httponly

asked Sep 23 '10 at 15:16

malukisses

votes

3 answers

Secure and HttpOnly flags for session cookie Websphere 7

In Servlet 3.0 complaint application servers I can set the HttpOnly and secure flags for the session cookie (JSESSIONID) by adding the following to the web.xml:

true …

servlets cookies websphere-7 httponly

asked Feb 08 '12 at 12:14

mmutilva

18,688
22
59
82

votes

3 answers

Zend Framework, Sessions, and HttpOnly

I want to make my session cookie HttpOnly. Based on this article, I added this to my application.ini: resources.session.cookie_httponly = true Unfortunately, when I look at the session cookie in Firecookie, it is not marked as HttpOnly as I have…

php zend-framework session httponly

asked Dec 16 '10 at 14:53

Sonny

8,204
7
63
134

votes

2 answers

ASP MVC 3 cookie losing HttpOnly and Secure flags

I am setting cookies as part of my mvc application: var cookie = new HttpCookie(CookieName, encryptedData) { Path = FormsAuthentication.FormsCookiePath, Domain = CookieDomain, Expires =…

asp.net-mvc cookies https httponly

asked Feb 27 '13 at 18:56

Grofit

17,693
24
96
176

Prev 1

…

19 20 Next