How can you secure your HTTP cookies against XSS attacks?

-
XSS occurs when the attacker injects executable JavaScript code into the HTML response.
To mitigate these attacks, you have to set flags on the set-cookieHTTP header:
  • HttpOnly - this attribute is used to help prevent attacks such as cross-site scripting since it does not allow the cookie to be accessed via JavaScript.
  • secure - this attribute tells the browser to only send the cookie if the request is being sent over HTTPS.
So it would look something like this: Set-Cookie: sid=<cookie-value>; HttpOnly. If you are using Express, with express-cookie session, it is working by default.

Comments

Post a Comment

Popular posts from this blog

What is MQTT protocol & its use

-
Image
So let' start journey towards gets basics about MQTT. Before understanding MQTT, we should know what basically is publish/subscribe design pattern. The publish/subscribe pattern (also known as pub/sub ) provides an alternative to traditional client-server architecture.  In the client-sever model , a client communicates directly with an endpoint. The pub/sub model decouples the client that sends a message (the publisher) from the client or clients that receive the messages (the subscribers). The publishers and subscribers never contact each other directly. In fact, they are not even aware that the other exists.  The connection between them is handled by a third component (the Broker - eg https://mosquitto.org ). The job of the Broker is to filter all incoming messages and distribute them correctly to subscribers. Now coming back to MQTT - MQTT is a Client Server publish/subscribe messaging transport protocol. Being a light weight, open, simple protocol
Read more

What the hack is Call, bind & apply

-
As Javascript developers, most of the time we are pretty confused about the Call, bind & apply & their use in JavaScript. So let's try to understand. 1. CALL & APPLY Both are these methods are simply known as immediately invoked function. What basically it means whenever you defined both these methods on a function it execute immediately as we run the program. Technically, if we define CALL & APPLY, both are used to execute a function in a different this context. Where this is passed as first argument & the second or subsequent argument (for Call ) is treated as arguments Only difference b/w them is that CALL takes argument as comma separated while apply takes argument as an array with this as first argument. So syntax wise, we can simply write them as follows - f.call(<this-context>, a1, a2, a3, ...) f.apply(<this-context>, [a1, a2, a3, ...]) Where f is a function to be called in respect of a different this context, where in the
Read more

What is Provider in Angular Js?

-
What is Provider in Angular Js? You can define Provider as service which is configurable and which should be used when you want to expose an API for application-wide configuration that must be made before the application starts. So technically speaking, it make sense during bootstrap(config) phase. During application bootstrap, before AngularJS goes off creating all services, it configures and instantiates all providers. We call this the configuration phase of the application life-cycle . During this phase, services aren't accessible because they haven't been created yet. Once the configuration phase is over, interaction with providers is disallowed and the process of creating services starts. We call this part of the application life-cycle the run phase . So simply speaking there is no way to use any service in config phase except constant & Provider. Technically, a Provider is defined as an object with a $get function. Example - So let s
Read more