Wednesday, April 10, 2013

Secure your cookies

Troy Hunt did a great blog post about how and why you should secure your cookies.

They are 2 important lessons you can learn from this post:

  • Lesson 1: if you don’t need to read the cookie value on the client, disable this function. In ASP.NET you can set this as the default for all cookies through the web.config:
    • <httpCookies httpOnlyCookies="true" />
  • Lesson 2: allow your cookies to be send only over HTTPS. And again this can be set in the web.config in ASP.NET :
    • <httpCookies requireSSL="true" />

More info: http://www.troyhunt.com/2013/03/c-is-for-cookie-h-is-for-hacker.html

No comments: