Showing 2 results for: December 2008 ×ModSecurity ×

Fixing Both Missing HTTPOnly and Secure Cookie Flags

In a previous post I showed how you can use both ModSecurity and Apache together to identify/modify SessionIDs that are missing the HTTPOnly flag. I received some feedback where people were asking how to accomplish the same thing but for...

Helping Protect Cookies with HTTPOnly Flag

If you are unfamiliar with what the HTTPOnly cookie flag is or why your web apps should use it, please refer to the following resources - Mitigating Cross-site Scripting With HTTP-only Cookies - http://msdn.microsoft.com/en-us/library/ms533046.aspx OWASP HTTPOnly Overview - http://www.owasp.org/index.php/HTTPOnly The...