HttpOnly session cookies
Whether you use HTTP or HTTPS, flag your cookies as HttpOnly
,
which means they are transmitted only over HTTP or HTTPS protocols.
This setting alone already prevents most XSS attacks, since HttpOnly
cookies cannot be transmitted using JavaScript.
When a client makes a call to the For example:
|
Configure the httpOnly
flag
-
In the AM admin UI, go to Configure > Server Defaults > Advanced.
-
Set the
com.sun.identity.cookie.httponly
advanced server property totrue
, and save your changes.You must make this change in all the AM instances in the site.
Regardless of the value of the
com.sun.identity.cookie.httponly
property, AM upgrades cookies to secure cookies (except theamlbcookie
cookie) when requests arrive over a secure channel. -
Restart AM or the container where it runs.