Unsafe Cookie - httponly

[Claudia]

"Your website uses unsafe cookies that can be read via JavaScript. In this way you give the possibility to an external attacker to access ex. to your customers' data during an open user session."

I'm a beginner, how can I solve this? The cookie to make sure is Session ID. I read that I can solve it with httponly, but how can I set this parameter? in the config.inc.php document? can you write step by step?

[Frédéric]

Hello you can secure cookies with the following command in the .htaccess in
 <IfModule mod_rewrite.c>
<IfModule mod_env.c>
SetEnv HTTP_MOD_REWRITE On
php_value session.cookie_httponly 1
php_value session.cookie_secure 1
Header set Strict-Transport-Security: "max-age = 31536000; includeSubDomains; preload"
Header always set X-FRAME-OPTIONS "DENY"
Header always set X-Content-Type-Options "nosniff"
Header always set Content-Security-Policy "frame-ancestors;"
Header always set X-Content-Security-Policy: "default-src 'none'; script-src 'self' https://code.jquery.com https://www.google-analytics.com; img-src ' self 'https://www.google-analytics.com; connect-src' self '; font-src' self '; style-src' self '; "
Header set Referrer-Policy "no-referrer, strict-origin-when-cross-origin"
Header always set X-Xss-Protection "1; mode = block"
</ IfModule>

this secures cookies as well as setting up all the security for an internet.
httponly; Strict-Transport-Security; X-FRAME-OPTIONS, X-Content-Type-Options, Content-Security-Policy, Referrer-Policy, X-Xss-Protection.
Then once in place go to https://securityheaders.io/. Enter the address of your website and you will validate all cookie security included.

if in doubt send me your .htaccess I integrate them and I forward it to you.

[Claudia]

Hi frédéric, thank you very much. I'll send you the file if it's not a problem for you. in which folder do I find it? How can I send it to you?

[Frédéric]

C'est à la racine.
Si vous n'êtes pas arrivé, envoyez-moi votre fichier htaccess ou les éléments de connexion dans ftp et l'adresse de votre site.

I forgot the email address [email protected]

Edited March 25, 2018 by Frédéric (see edit history)

[Claudia]

46 minuti fa, Frédéric dice:

C'est à la racine.
Si vous n'êtes pas arrivé, envoyez-moi votre fichier htaccess ou les éléments de connexion dans ftp et l'adresse de votre site.

I forgot the email address [email protected]

Hi dear, I sent you the file.

[Frédéric]

I sent the secure file

[Claudia]

thanks dear, unfortunately this solution doesn't work.

[Frédéric]

you have renamed it to .htaccess

[Claudia]

hi, yes but this is the error:

 

Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator at to inform them of the time this error occurred, and the actions you performed just before this error.

More information about this error may be available in the server error log.

Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.

[hakeryk2]

Quote

"Your website uses unsafe cookies that can be read via JavaScript. In this way you give the possibility to an external attacker to access ex. to your customers' data during an open user session."

Where did You received this message?

[Claudia]

9 minuti fa, hakeryk2 dice:

Where did You received this message?

 

on 1and1 website analysis but you can analyze your site on any other tool

[wagonDos]

ok this is epic

Edited January 28, 2019 by wagonDos (see edit history)

[wagonDos]

epic

Edited January 28, 2019 by wagonDos (see edit history)

[MathiasReker]

This module has option to make "unsafe cookies": safe and has option to apply all security headers: https://addons.prestashop.com/en/website-security-access/44413-security-pro.html

Edited June 29, 2019 by MathiasReker (see edit history)