Skip to content
Tuto HTTP (2023-08-12 11H (Europe/Paris)) Set-Cookie
Type to start searching
Tuto HTTP
  • Index
  • HTML
  • htmx
  • Tuto DevOps
  • HTTP
  • HTTP
Tuto HTTP
  • History
  • People
  • HTTP news
  • Browsers
  • HTTP
    • News
    • HTTP versions
    • HTTP definition
    • HTTP basics
    • HTTP authentication
    • HTTP headers
    • Protocoles
    • HTTP
      • EFF
      • Les menaces de sécurité HTTP
        • Content Security Policy (CSP, new)
        • X-XSS-Protection (Cross-site_scripting)
        • HTTP security headers
        • HSTS (HTTP Strict-Transport-Security, RFC 6797)
        • HPKP (Public Key Pinning Extension for HTTP, RFC7469, 2015)
        • X-Frame-Options (contre le click-jacking, RFC 7034, 2013-10)
        • X-Content-Type-Options
        • Referrer-Policy
        • Set-Cookie
          • Set-Cookie
            • Définition 1
            • Solution Django (si utilisation de https)
          • Show Source
          • Définition 1
          • Solution Django (si utilisation de https)
        • Subresource integrity
        • CORS (Cross-origin resource sharing)
        • Redirection
    • HTTP response status codes (rfc2616 and RFC 7231)
    • HTTP tools
  • Servers
  • Load testing
  • Tutorials
  • Glossaires
  • Set-Cookie
    • Définition 1
    • Solution Django (si utilisation de https)
  • Show Source

Set-Cookie ¶

See also

  • https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie

  • https://blog.appcanary.com/2017/http-security-headers.html#cookie-options

../../../_images/cookies.png

Définition 1 ¶

This isn’t a security header per se, but there are three different options for cookies that you should be aware of.

  • Cookies marked as Secure will only be served over HTTPS. This prevents someone from reading the cookies in a MiTM attack where they can force the browser to visit a given page.

  • HttpOnly is a misnomer, and has nothing to do with HTTPS (unlike Secure above). Cookies marked as HttpOnly can not be accessed from within javascript. So if there is an XSS flaw, the attacker can’t immediately steal the cookies.

  • SameSite helps defend against Cross-Origin Request Forgery (CSRF) attacks. This is an attack where a different website the user may be visiting inadvertently tricks them into making a request against your site, i.e. by including an image to make a GET request, or using javascript to submit a form for a POST request. Generally, people defend against this using CSRF tokens. A cookie marked as SameSite won’t be sent to a different site.

Solution Django (si utilisation de https) ¶

See also

  • https://docs.djangoproject.com/en/dev/ref/settings/#std:setting-SESSION_COOKIE_SECURE

Django Session cookies are HttpOnly by default. To set secure: 

SESSION_COOKIE_SECURE = True.

Not sure about SameSite.

Previous Referrer-Policy
Next Subresource integrity
© Copyright 2019-2023, DevOps people Built with sphinx 7.1.2 Python 3.11.4.
Last updated on Aug 12, 2023.
Created using Sphinx 7.1.2. and Material for Sphinx