DEV Community

loading...
Cover image for How to Protect Cookies Against Common XSS Attacks on the Web?

How to Protect Cookies Against Common XSS Attacks on the Web?

Beto Muniz
Indie Creator @ listtta.com ~ seujob.tech ~ protocoloalterado.com.br • OSS Crafter • Writing about Web Development
・1 min read

We can ignore Cookies danger by just not recommending its usage, but the fact is that at least 55% of all the websites use Cookies RIGHT NOW even with lots of existing cookieless strategies.

So how to protect Cookies against Common XSS Attacks?

Well, if your app really needs to use Cookies, configure each one through Set-Cookie HTTP Header with at least the following flags:

🍪 Secure: To allow the Cookie only through HTTPS
🍪 HttpOnly: To remove the Cookie from the document.cookie
🍪 SameSite: To limit the Cookie context usage

Set-Cookie: Secure;HttpOnly;SameSite=Strict;...
Enter fullscreen mode Exit fullscreen mode

Hope that with these tips, your app now has a few more chances against XSS Attackers that use Cookies breaches. Anyway, keep in mind that complex attacks can easily bypass these tips. So try to migrate ASAP to cookieless strategies.

💌 If this content was useful for you, subscribe to my newsletter

Discussion (0)