Documentation - V-222575

V-222575

Application Security and Development Security Technical Implementation Guide

CAT II

Title

The application must set the HTTPOnly flag on session cookies.

Description

<VulnDiscussion>HTTPOnly is a flag included in a Set-Cookie HTTP response header. If the HTTPOnly flag is included in the HTTP response header, the cookie cannot be accessed through client side scripts like JavaScript. If the HTTPOnly flag is set, even if a cross-site scripting (XSS) flaw in the application exists, and a user accidentally accesses a link that exploits this flaw, the browser will not reveal the cookie to a third party. The HTTPOnly setting is browser dependent however most popu...

Fix Text (Documentation Requirement)

Configure the application to set the HTTPOnly flag on session cookies.

View Full STIG Details →

Documentation Status

Status

Documented Verified - link to a ship document Awaiting Review Evidence submitted, needs verification Pending Needs documentation Not Required Documentation not needed Not Applicable STIG doesn't apply

Notes (Optional)

Cancel