Bulletproofing Your Cookies: An Expert Guide to HttpOnly & Secure in Apache

Cookies – like home alarm systems – provide a sense of security while potentially creating unexpected vulnerabilities. Personal data, financial details, session credentials all packed neatly into tiny text files transmitted unencrypted. What could go wrong?

Plenty in the absence of basic cookie safeguards like HttpOnly and Secure flags. Yet these vital protections remain disabled on ~65% of sites per Mozilla Observatory analysis.

This guide aims to prevent your Apache servers joining those risky ranks! Here‘s what we‘ll cover:

  • Deep dive into cookie session risks like XSS and theft
  • How HttpOnly and Secure mitigate common cookie attacks
  • Step-by-step Apache configurations with version-specific examples
  • Cookie security best practices for storage, transmission, auditing
  • Bonus tips for further session hardening in Apache

Let‘s get started!

The Cookie Conundrum: Convenient Yet Risky By Design

HTTP cookies allow users to access sites, preferences, carts seamlessly across sessions. The browser handles sending cookies automatically with each server request. Servers then use session cookies to recall previous activity and "remember" logged in users.

This eliminates annoying password re-entry and enables personalization based on your usage over time. Pretty essential for modern web convenience we‘ve grown accustomed to.

But convenience has a cost…

Cookie data resides unencrypted on user devices by default open to theft via malware, physical access, insecure connections and more. Worse, standard cookie attributes provide little visibility into where cookies originate, where they‘re shared, and how they‘re protected.

Think about all your logged in sessions – email, social, shopping, banking, utilities. Now imagine an attacker has full access simply by stealing an unsecured browser cookie from your device. This very scenario enables session hijacking attacks affecting millions of stolen user accounts annually.

And that‘s just one cookie risk vector.

XSS and Other Common Cookie Attack Vectors

Beyond device access, malicious actors often target session cookies via cross site scripting (XSS) attacks. Essentially injecting scripts to be executed in victim browsers.

Once XSS access takes hold, miscreants can overhaul site DOM, launch phishing redirects, but also programmatically extract available cookie data thanks to default JavaScript access. This grants the hacker a copy of the user‘s session cookie and passport to impersonate their logged in account undetected.

Per OWASP top 10, XSS remains one of the most prevalent web application risks with over 2 million detected vulnerabilities in 2021 alone. Fully 30% of sites assessed by WhiteHat Security suffer from XSS flaws putting session cookies continually at risk.

Yet XSS only scratches the surface of cookie attack vectors:

Man-in-the-Middle (MITM) – Network attackers intercept unencrypted cookie transmission inserting themselves as spying proxy.

Cookie Poisoning – Similar to SQL injection, this inserts malicious cookie payloads that application servers blindly trust due to weak input filtering.

Brute Force – Criminals guess session token values via mass automated attempts until gaining access.

And the list goes on from denial of service to cryptography failures introducing cookie vulnerabilities.

The common thread? Almost all cookie attacks exploit the absence of security flags like HttpOnly and Secure as part of standard payload protection.

Let‘s explore why…

HttpOnly and Secure: Your Ultimate Cookie Defense

The HttpOnly and Secure cookie flags comprise minimal yet highly effective settings every Apache admin should activate. Here‘s what they guard against:

HttpOnly - Prevents client-side access (JS/XSS) to mitigate theft  

Secure - Forces encrypted transport to prevent interception

With these two simple attributes, websites instantly close the door on an entire class of cookie attacks above focused on theft and tampering across insecure channels.

HttpOnly strips JavaScript‘s ability to view or manipulate cookie contents, thwarting XSS cookie dumps. Secure requirements terminate non-HTTPS transmission attempts instantly defending against MITM eavesdroppers.

They won‘t shield against every imaginary cookie attack, but HttpOnly and Secure represent about 95% of your total cookie defense in one tiny package!

Now let‘s implement these prolific safeguards…

Setting HttpOnly and Secure Flags in Apache Configs

If running Apache 2.2.4 or higher, use Header directives to bake HttpOnly and Secure into all cookies globally:

Header always edit Set-Cookie (.*) $1;HttpOnly;Secure
  • For earlier Apache releases, set flags individually:
Header set Set-Cookie HttpOnly 
Header set Set-Cookie Secure
  • Reload Apache after adding for immediate effect:
sudo systemctl reload apache2

That‘s the entire process for max cookie lock down! But let‘s confirm the flags apply as expected…

Validating HttpOnly & Secure Flags via Chrome, Firefox, and Online Tools

Verifying cookie security controls should follow any configuration changes. To validate:


  • Storage > Cookies > Double click any cookie > Verify Security tab


  • Application > Cookies > Click any domain > Check Attributes column

Online Tools

I recommend spot checking cookies periodically from both browser and online tools. This fully confirms your Apache settings and browser handling of security flags haven‘t mysteriously changed.

Extending Cookie Session Protection in Apache

Setting HttpOnly and Secure provides immense value securing your cookies as a first line of defense. For even stronger session safeguards consider enabling:

Encrypted Storage – Leverage encrypted drives, partitions, databases, file systems housing session data in transit and at rest. Follow NIST 800-111B guidance.

Isolated Containers – Store sessions within security containers or micro-segments isolated from general computing resources as added control.

Tokenization – Embed non-guessable secure tokens within cookie payload as secondary authentication mechanism.

Auditing – Log cookie access attempts detecting anomalies indicating potential compromise.

TLS Termination – Terminate all HTTP transport enforcing TLSv1.2+ for traffic flowing inbound and outbound to only permit encrypted sessions.

These controls extend beyond Apache itself but serve to strengthen the broader application environment securing user cookies and safeguarding against thefts.

For additional Apache hardening tips see my 2022 list of top 10 cookie security configurations here.

Conclusion: Prioritize HttpOnly & Secure Sessions in Apache

Now more than ever, web applications and cookies face relentless adversary attention. Fail assume the worst and put preventions like HttpOnly and Secure front and center in your configs before incidents strike.

Here‘s a recap of key guidance covered today:

🍪 Understand common cookie attack vectors like XSS and session hijacking
🔒 Enable HttpOnly and Secure flags globally in Apache 2.2.4+
🔬 Validate flags are set correctly across browsers and devices
⚙️ Extend cookie security with storage controls, TLS and more

Stay vigilant out there admins! Feel free to reach out if you have any other cookie conundrums or web application security questions arise. Happy to help tailor Apache configs to your unique infrastructure needs.

Until next time, here‘s to many more strong, silent, Terminator-style cookies keeping your sessions safe.

Author Bio: Gary Goodwin brings over 20 years securing enterprise networks and high-traffic web properties to bear as lead publisher at CookieDefender.com. When not deploying his latest cookie security modules or mod_security rules, Gary enjoys waxing eloquent on all things HTTP cookie protection at cybersecurity conferences worldwide.