illustration for Web Security Essentials: MITM, CSRF, and XSS
Course

Web Security Essentials: MITM, CSRF, and XSS

  11. 11
    Set the httpOnly Cookie Flag in Express to Ensure Cookies are Inaccessible from JavaScript
    1m 27s

Set the httpOnly Cookie Flag in Express to Ensure Cookies are Inaccessible from JavaScript

Mike Sherov
InstructorMike Sherov
Share this video with your friends

Social Share Links

Send Tweet
Published 4 years ago
Updated 3 years ago

In this lesson, we'll learn how to set the httpOnly flag on our session id cookie to ensure it is inaccessible from javascript, thereby defeating theft of the session id from the XSS attack we crafted in the previous lesson. However, we'll still leave ourselves open to other dangers from XSS, which we'll exploit in our next lesson!

View code on GitHub

Instructor: [00:00] Now that we've proven our site is vulnerable to XSS and that we could use that XSS to steal a document and cookie, let's fix that problem. In later lesson, I'll show you how to fix XSS in general. First, let's focus on simply protecting document.cookie.

[00:15] By default, when a browser sets a cookie, it's accessed both via either document.cookie or is sent in every request to the target domain. We can inspect the response from our server and see that when it sets cookie, it doesn't set the HTTP only flag. Let's fix that.

[00:32] We'll go over to our index file and we'll see where the session cookie settings are saved. We'll notice that we've had HTTP only set to false. If we remove this property from our cookie configuration and hit save, clear our cookies and reload, we'll see that now the setcookie call sets the HTTP only flag.

[00:57] If we log back in and attempt to post our malicious payload again, we can see if that the XSS still succeeds, but the payload it sends does not contain the actual cookie value. Indeed, the server's unable to log anything.

[01:18] What this means is that if you don't need to access programmatically to document.cookie in your application, set the HTTP only flag when sending cookies.

egghead
egghead
~ 19 minutes ago

Member comments are a way for members to communicate, interact, and ask questions about a lesson.

The instructor or someone from the community might respond to your question Here are a few basic guidelines to commenting on egghead.io

Be on-Topic

Comments are for discussing a lesson. If you're having a general issue with the website functionality, please contact us at support@egghead.io.

Avoid meta-discussion

  • This was great!
  • This was horrible!
  • I didn't like this because it didn't match my skill level.
  • +1 It will likely be deleted as spam.

Code Problems?

Should be accompanied by code! Codesandbox or Stackblitz provide a way to share code and discuss it in context

Details and Context

Vague question? Vague answer. Any details and context you can provide will lure more interesting answers!

Markdown supported.
Become a member to join the discussionEnroll Today