DEV Community

Discussion on: How HttpOnly cookies help mitigate XSS attacks 🍪

gdenn profile image
Dennis Groß

I think you should always consider the following Cookie attributes for security sensitive data such as session ids

  • HttpOnly => Cookie exchange only via HTTP protocol - protects you against XSS attacks
  • SameSite=strict => Cookies only acessible for servers that match the domain in the cookie attribute - Protects you against CSRF attacks
  • secure => Cookies can only be transferred with an active SSL-/TLS encryption (HTTPS) - Protects you against man in the middle attacks

Furthermore if you use a reverse proxy:

Ensure that the X-Forwarded-For headers are set and that the Proxy Caching Policy of the Revers Proxy does not interfere with your Set-Cookie header (proxy-pass-header: Server;).

(It is possible that your proxy cache swallows Set-Cookie headers and that's a nightmare to debug)

But just setting the correct cookie attributes does not make your site magically secure or protects you against all XSS or CSRF vectors.

You should always educate yourself about common attack vectors when you work with sensitive data.