• Jeremy Druin

Yum! Secure Cookies

Updated: Apr 2

Cookie security is an oxymoron. Cookies exist in the browser; an inherently insecure location. However, there are several best-practices that can reduce the risk through a combination of vulnerability prevention and restricting cookies to appropriate use-cases.

The security controls available include the following. These reduce the risk associated with attacks on cookies.

  1. Enable the HTTPOnly attribute on all cookies to help protect cookies from cross-site scripting

  2. Enable the Secure attribute on all cookies to ensure cookies are sent over HTTPS connection

  3. Enable the SameSite=Lax or if possible, SameSite=Strict on all cookies to reduce chance of cross-site request forgery on authenticated transactions

  4. Do not set the domain attribute to keep the cookie bound to the current domain

The way cookies are used is just as important. The various protections affroded cookies do not protect cookies against the user(s) of the device. Follow these best-practices to avoid overexposure.

  1. Do not use persistent cookies unless their is a business need

  2. Do not store mutable authorization tokens in cookies

  3. Do not store sensitive information in cookies; except session tokens

The security controls mitigate some issues and proper use of cookies proactively avoids compromising situations. But many details remain. As such, we have created a series of videos to explain the security controls by example.




Recent Posts

See All