Home / server / Questions / 962184
In Process
Axel
Asked: 2019-04-10 01:51:14 +0800 CST

Can't set http-only and secure cookies in Apache

  • 772

My website is on Apache which is hosted in AWS VPS.

I tried setting http-only flag and secure flag by editing security.conf file but upon checking the headers via https://hackertarget.com/http-header-check/ I see that there is no change and cookies are still without these flags.

I followed these steps:

Ensure you have mod_headers.so enabled in Apache HTTP server

Add following entry in /etc/apache2/conf-enabled/security.conf

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

Restart Apache HTTP server to test

Can anyone help me out?

amazon-web-services

2 Answers

  1. Try to set the last part in "" like i did here:

    Header edit Set-Cookie ^(.*)$ "$1;HttpOnly;Secure"

    After that try a apache syntax check with:

    apachectl -t

    Very good test for header security is the one from mozilla:

    https://observatory.mozilla.org/

    • 1 
  2. Header always edit Set-Cookie (.*) "$1; HTTPOnly; Secure"

    There can be two reasons for set-cookie flag not working:

    1. Header control with CGI and not with Apache.
    2. AWS ELB truncating the cookies (in case your website is behind a load balancer).

    If it is the first case, this answer will work as it worked for me.

    • -1