How to implement cookie HTTP header flag with HTTPOnly & Secure OLS

#1
Dear OLS community, Currently we testing OLS to replace apache web server. But we need step-by-step to set cookie HTTP header flag with HTTPOnly & Secure on OLS, can anyone help us how to properly implement secure flag cookie on OLS (v.1.7.14)? Because when we put Header set cookie on VH context, It's worked but detected before cookie and cookie still not "HTTPonly" & "Secure".

thank you all

Web server:
Ubuntu 20.04 LTS
OLS 1.7.14
React JS web application

context HTTP Header:
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Security-Policy default-src https:; font-src https: data:; img-src https: data:; script-src https:; style-src https:;
X-Content-Type-Options "nosniff" always
X-Frame-Options: SAMEORIGIN
X-XSS-Protection 1;mode=block
Header set Set-Cookie HttpOnly;Secure
Expect-CT enforce, max-age=21600
Referrer-Policy: no-referrer-when-downgrade
 

Attachments

#3
Hi, I'm still not clear about the expected result, could you describe it more or share an example here would be helpful.
expected result when we test cookie flag like this:

expected result.png

current result, cookie still not "httponly" and "secure"
current result.png

many thanks for help us
 

Cold-Egg

Administrator
#4
I see, usually, the cookie is set by the app. If the app has set cookie "httponly" and "secure", OLS would just pass along.
So, it's best the app has set the cookie correctly in 1st place, then no need webserver to modify it.
 
#5
I see, usually, the cookie is set by the app. If the app has set cookie "httponly" and "secure", OLS would just pass along.
So, it's best the app has set the cookie correctly in 1st place, then no need webserver to modify it.
unfortunately website based on react javascript, where javascript doesn't supported httpOnly & secure for cookie flag :(

many thanks for help
 
Top