Enable secure cookies by default

[fubarhouse]

An HTTP cookie is a small piece of information that a server sends to the user’s web browser. The Cookie header stores the HTTP cookies previously sent by the web server with the Set-Cookie header.

The session cookies are deleted when the browser shuts down and if the cookies are permanent, they will expire at the time defined by Expires or Max-Age.

The risk of client-side scripts accessing the protected cookie can be mitigated by including an additional “HttpOnly” flag in the Set-Cookie HTTP response header.

As a result, the browser will not reveal the cookie to a third party even if a cross-site scripting (XSS) flaw exists in the web application.

https://support.detectify.com/support/solutions/articles/48001048952-missing-httponly-flag-on-cookies

https://github.com/skpr/image-php/blob/patch/secure-cookies/base/conf.d/50_overrides.ini#L17

When an HTTP protocol is used for communication between client and server, the data traffic is sent in plaintext. An HHTP allows the attacker to see/modify the traffic using a Man-In-The-Middle attack (MITM). HTTPS is a secure version of HTTP. This protocol uses SSL/TLS to protect the data in the application layer. HTTPS is used for better authentication and data integrity. A secure flag is set by the application server while sending a new cookie to the user using an HTTP Response. The secure flag is used to prevent cookies from being observed and manipulated by an unauthorized party or parties. This is because the cookie is sent as a normal text. A browser will not send a cookie with the secure flag that is sent over an unencrypted HTTP request. That is, by setting the secure flag the browser will prevent/stop the transmission of a cookie over an unencrypted channel.

https://beaglesecurity.com/blog/vulnerability/cookie-session-without-secure-flag.html

https://github.com/skpr/image-php/blob/patch/secure-cookies/base/conf.d/50_overrides.ini#L18