My vulnerability scanner recommends that I implement the HttpOnly flag, also known as "secure cookies". I want to set the HttpOnly flag. How do I accomplish that?

• HttpOnly is an additional flag, not it's own cookie. It is included in the Set-Cookie HTTP response header.
• Using the HttpOnly flag helps mitigate the risks of client-side scripting / XSS attack vectors.
• It tells the browser that this particular cookie should only be accessed by the server, and anything else is strictly forbidden.
• This only works if the browser supports it, but nearly all modern browsers do. Do keep this in mind, though.
  • It is not a "silver bullet", it just makes it harder to collect data that nobody should have other than the server.

To implement the HttpOnly flag for the cookie, the following instructions should be followed:

1. Stop the apiportal service: service apiportal stop
2. Update /opt/Deployments/lrs/server/conf/server.xml by replacing <Context path="" docBase="ROOT"> with <Context path="" docBase="ROOT" useHttpOnly="true"> and then saving the changes.
3. Start the apiportal service: service apiportal start

Content on what the HttpOnly flag is, was inspired by the following webpages:

• OWASP: https://www.owasp.org/index.php/HttpOnly
• Coding Horror: https://blog.codinghorror.com/protecting-your-cookies-httponly/