Cookie security is an oxymoron. Cookies exist in the browser; an inherently insecure location. However, there are several best-practices that can reduce the risk through a combination of vulnerability prevention and restricting cookies to appropriate use-cases.
The security controls available include the following. These reduce the risk associated with attacks on cookies.
Enable the HTTPOnly attribute on all cookies to help protect cookies from cross-site scripting
Enable the Secure attribute on all cookies to ensure cookies are sent over HTTPS connection
Enable the SameSite=Lax or if possible, SameSite=Strict on all cookies to reduce chance of cross-site request forgery on authenticated transactions
Do not set the domain attribute to keep the cookie bound to the current domain
The way cookies are used is just as important. The various protections affroded cookies do not protect cookies against the user(s) of the device. Follow these best-practices to avoid overexposure.
Do not use persistent cookies unless their is a business need
Do not store mutable authorization tokens in cookies
Do not store sensitive information in cookies; except session tokens
The security controls mitigate some issues and proper use of cookies proactively avoids compromising situations. But many details remain. As such, we have created a series of videos to explain the security controls by example.
コメント