[HTTP-Headers] Cookie – HttpOnly flag 指南

Intro

Wikipedia – HTTP cookie – Secure and HttpOnly

DEVCORE – HttpOnly – HTTP Headers 的資安議題 (3)

HttpOnly flag 要求瀏覽器不要通過 HTTP/HTTPS 以外的管道使用cookie。意即無法通過客戶端Script(尤其是JavaScript)存取cookie,因此無法通過跨站點指令碼攻擊輕易竊取。

另外經常被一起討論的還有 Secure Flag: [HTTP-Headers] Cookie – Secure flag 指南


實作於程式語言

PHP

Option 1: 實作於 Application 層級

<?php
ini_set("session.cookie_httponly", 1);
session_start();
?>

一般知名 PHP framework 預設就會加入 HttpOnly flag 並提供 config

Option 2: 實作於語言設定層級

PHP_INI_ALL:

php_value session.cookie_httponly 1

實作於 Web Server

Nginx

Option 1: add_header

設定於 nginx.conf 檔案內 http block 中:

add_header Set-Cookie "Path=/; HttpOnly; Secure";

Option 1: proxy_cookie_path

設定於 ssl.conf, default.confserver > location 中:

proxy_cookie_path / "/; HTTPOnly; Secure";

Leave a Reply

Your email address will not be published. Required fields are marked *