How to enforce HttpOnly attribute on cookies (IIS)

Article sections

The HttpOnly flag ensures the web application cookie cannot be accessed by client side scripting running in the user’s browser.

Preventing client-side scripting from accessing cookie content may reduce the probability of a cross site scripting attack materializing into a successful session hijack.

1 – Open the web.config file for the site, application, or virtual directory you want to configure.

2 – Add the < httpCookies httpOnlyCookies=”true” /> tag within system.web tag.

< configuration>
< system.web>
< httpCookies httpOnlyCookies=”true” />
</ system.web>
</ configuration>

Last Updated: 4 years ago in Web Server

How to enforce HttpOnly attribute on cookies (Apache)
How to Disable HTTP TRACE Method (Apache)
How to Disable Unneeded HTTP Request Methods (Apache)
How to Remove Apache Version Banner
How to Disable User Directories Modules in Apache HTTP Server
How to Configure IIS for Production Use

Article sections

Related Articles

Recent Posts