How to prevent Cross-Site Scripting

HttpOnly flag for Cookie

When the server sends an HTTP response, it can set the HttpOnly flag for titles that setting Cookie.

HTTP/1.1 200 OK
Set-Cookie: PHPSESSID=5f4dcc3b5aa765d61d8327deb882cf99; path=/; HttpOnly
Content-Length: 283

If this flag is present, Javascript will not be able to access the values Cookie document.cookie. All Cookies associated with user authorization must be set this flag. If Javascript needs access to them, this is a clear evidence of an error in the design of the architecture.

All modern languages and frameworks PHP, Java, C#, Ruby, Go have built-in functions for settingу HttpOnly flag.

Sorry, but this is part of
Web-security course

Web-security course

  • Actual web attacks with examples
  • A wrong ways of preventing attacks
  • Security methods guaranties elimination of attacks
  • Quizzes for the material fixation

  Quiz →