4

My question is really simple, are HttpOnly or Secure flags needed if a website doesn't have a private part accessible with login?

Anders
  • 65,582
  • 24
  • 185
  • 221
ebdecastro
  • 97
  • 1
  • 8

3 Answers3

3

It depens on whaty ou use cookies for.

HttpOnly makes the cookie unacessible from JavaScript. This is good for session cookies since it means that an attacker exploiting XSS can not steal them. However, in most situation you need to read the cookies with JS, and then setting the HttpOnly flag isn't really an option. So HttpOnly is mostly used for session cookies.

As for the secure flag, unless you specifically needs to send the cookie over HTTP you should always set it. Since the cookies are sent on all requests to your domain, even if they are not needed, it is easy to leak them if you just make one HTTP request. For instance, if you serve static images over HTTP and your cookies are not marked as secure you will send them unencrypted. If the cookies contain any sensitive data at all that is very bad.

So, to make a decision you need to understand both the purpose of these flags and what the cookies are used for. There is no blanket answer.

Anders
  • 65,582
  • 24
  • 185
  • 221
2

These flags are useful if the cookies you're working with contain sensitive information (such as session cookies). They help to protect your cookies against being compromised in some attack scenarios.

To recap:

  • A cookie flagged Secure is only sent to the server if the connection is secure (i.e. HTTPS). That is, a man-in-the-middle attacker can't capture them by intercepting a plain HTTP connection to your site.

  • A cookie flagged HttpOnly is not accessible to scripts. That is, an XSS vulnerability on your site wouldn't allow an attacker to directly exfiltrate a HttpOnly cookie via Javascript's document.cookie.

If all your cookies are non-sensitive (e.g. a language setting) then you wouldn't absolutely have to harden access with these flags. But if you never use Javascript to access cookies and your entire domain is only available over HTTPS anyway, it's good practice to add them.

Arminius
  • 44,770
  • 14
  • 145
  • 139
0

If your site doesn't use cookies (as would be required for a site with a login), then not only do you not need the HttpOnly or Secure flags, but you actually can't use them. It's simply not possible, as those flags can only be set on cookies.

If you're using cookies for something else besides user logins then yes, setting those flags on your cookies could potentially benefit your users' privacy and/or security by making it more difficult for a MITM attacker or third party script on your site to read those values.

Given how trivial it usually is to use HttpOnly and Secure, unless you have a specific reason you need your cookies to be accessible over plaintext or via JavaScript you might as well set those flags if you can.

Ajedi32
  • 4,753
  • 3
  • 28
  • 63