How can you secure your HTTP cookies against XSS attacks?

1 Answers

Shrikant Mishra
Shrikant Mishra

Cross site scripting (XSS) occurs when the attacker injects executable JavaScript code into the HTML response.

To reduce these attacks, we have to set flags on the set_cookies HTTP header:

HttpOnly - it attribute is used to help prevent attacks such as cross-site scripting since it does not allow the cookie to be accessed via JavaScript.

Secure - it attribute tells the browser to only send the cookie if the request is being sent over HTTPS.

So it would look something like this:

Set-Cookie: sid=<cookie-value>; HttpOnly. 

Whether, you are using Express, with express-cookie session, it is working by default.

Answer