DEV Community

Cover image for How to Protect Cookies Against Common XSS Attacks on the Web?
Beto Muniz
Beto Muniz

Posted on • Edited on • Originally published at betomuniz.com

How to Protect Cookies Against Common XSS Attacks on the Web?

We can ignore Cookies danger by just not recommending its usage, but the fact is that at least 55% of all the websites use Cookies RIGHT NOW even with lots of existing cookieless strategies.

So how to protect Cookies against Common XSS Attacks?

Well, if your app really needs to use Cookies, configure each one through Set-Cookie HTTP Header with at least the following flags:

🍪 Secure: To allow the Cookie only through HTTPS

🍪 HttpOnly: To remove the Cookie from the document.cookie

🍪 SameSite: To limit the Cookie context usage

Set-Cookie: Secure;HttpOnly;SameSite=Strict;...
Enter fullscreen mode Exit fullscreen mode

Hope that with these tips, your app now has a few more chances against XSS Attackers that use Cookies breaches. Anyway, keep in mind that complex attacks can easily bypass these tips. So try to migrate ASAP to cookieless strategies.

Top comments (0)