Enable Secure Cookies

Cookies that are not marked as secure can be transferred via an unencrypted connection. A man-in-the-middle attack can be used to get the contents of these cookies.

Security Assessment

Security_Assessment_EnableSecureCookies

CVSS Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Vulnerability Information

Cookies that are not marked as secure can be transferred via an unencrypted connection. A man-in-the-middle attack can be used to get the contents of these cookies.

Cookies that are not marked as http-only can be read by local scripts. In case of an Cross-Site-Scripting (XSS) attack, an attacker is able to read these cookies.

Depending on the cookie content, think of enabling both settings for all cookies. This is especially important for session cookies.

Guides

To set cookies to secure and httponly, you need to configure the web framework which issues the cookies. Follow these guides for the correct settings:

PHP

In PHP configure the cookie settings for all delivered websites. Set the following in your /etc/php/php.ini file:

session.cookie_secure = 1
session.cookie_httponly = 1

Django

In django, make the following cookie settings in you projects preferences file:

SESSION_COOKIE_HTTPONLY=true
SESSION_COOKIE_SECURE=true

For more information about Crashtest Security visit crashtest-security.com