1.3.2 Secure Cookies
In HTTP, cookies are a weak link and need additional attention. You could have a web site that is 100% encrypted and yet remains insecure because of how its cookies are configured.
- Mark cookies secure
-
Cookies will by default span HTTP and HTTPS contexts, which is why they need to be explicitly marked as secure for browsers to know to avoid plaintext.
- Mark cookies as HttpOnly
-
If a web site uses cookies that need not be accessed from the browser itself, they should be marked as HttpOnly. This is a defense-in-depth technique that aims to minimize the attack surface.
- Use cookie name prefixes
-
Cookie prefixes are a new security measure that is now supported by browsers and being added to the main cookie specification (RFC 6265bis). Cookies with names that start with prefixes
__Host-and__Secure-are given special powers that address a variety of problems that existed for years. All cookies should be transitioned to use these prefixes.
For best results, consider adding cryptographic integrity validation or even encryption to your cookies. These techniques are useful with cookies that include some application data. Encryption can help if the data inadvertently includes something that the user doesn't already know. Integrity validation will prevent tampering. With these kinds of cookies, it's also a good practice to bond the cookies to the context in which they were issued—for example, to the specific user account.