Preventing Directory Listing – Apache

Using httpd.conf or .htaccess

Add the following lines in httpd.conf or .htaccess

Options -Indexes
IndexIgnore *

Reference

http://wiki.apache.org/httpd/DirectoryListings

Preventing Directory Listing – ASP.NET

Method

Add the following lines to web.config:

<configuration>
  <location path=".">
    <system.webServer>
      <directoryBrowse enabled="false" />
    </system.webServer>
  </location>
</configuration>

References

http://msdn.microsoft.com/en-us/library/ff649337.aspx
http://blogs.iis.net/bills/archive/2008/03/24/how-to-enable-directory-br…

Directory Listing

Description

Directory listing is a web server function that displays a list of all the files when there is no index file, such as index.php and default.asp in a specific website directory.

Some web administrators do not properly configure web servers to disable the Directory Listing or sometimes do not do it at all.

For instance, administrators may make complex configuration settings, such as to allow directory listing for particular directories or subdirectories. The improper configuration of this task might result in the unexpected and unintended enabling of listing of directories which contain sensitive information.

See how to fix it!

Read more

Setting Cookie Secure Flag – Apache

Method

Add the following line into section 1(Global Environment) of httpd.conf, this line will load the headers_module module, which provides directives to control and modify HTTP request and response headers.

LoadModule headers_module modules/mod_headers.so

After loading the headers_module module, add the following line into section 3(Main Server Config) of httpd.conf

Header edit Set-Cookie ^(.*)$ $1;Secure

Reference

https://www.owasp.org/index.php/SecureFlag

Setting Cookie Secure Flag – PHP

Method #1 By using ini_set function

Add the following code on the page

ini_set("session.cookie_secure", 1);

Method #2 By using session_set_cookie_params function

Add the following code on the page:

session_set_cookie_params(0, NULL, NULL, TRUE, NULL);

Method #3 By using setcookie function

Add the following code when creating cookie:

setcookie("name", "value", NULL, NULL, NULL, TRUE, NULL);

References

https://www.owasp.org/index.php/SecureFlag
http://php.net/manual/en/function.setcookie.php
http://php.net/manual/en/function.session-set-cookie-params.php

Setting Cookie Secure Flag – ASP.NET

Method #1 Setting Secure Property True

Create Cookie by setting secure property true:

HttpCookie cookie = new HttpCookie('name');
cookie.Secure = True;
cookie.Value = 'Value';

Method#2 Using web.config

Add the following codes to web.config

<system.web>
<httpCookies requireSSL="true" />
</system.web>

Reference

https://www.owasp.org/index.php/SecureFlag

Setting Cookie Secure Flag – Java

Method #1

Create secure cookie by calling setSecure method, which allows cookie to be secure

Cookie newCookie = new Cookie("name","value");
newCookie.setSecure(true);

Method #2

Add the following lines to web.xml file of the project to make the cookie secure.

<session-config>
 <cookie-config>
 <secure>true</secure>
 </cookie-config>
</session-config>

Reference

https://www.owasp.org/index.php/SecureFlag

Cookie Secure Flag

Description

When a cookie is set with the Secure flag, it instructs the browser that the cookie can only be accessed over secure SSL channels. This is an important security protection for session cookies.

The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of the secure flag is to prevent cookies from being observed by unauthorized parties due to the transmission of the cookie in clear text.

See how to fix it!

Read more

Cookie – HttpOnly Flag

Description

When a cookie is set with the HTTPOnly flag, it instructs the browser that the cookie can only be accessed by the server and not by client-side scripts. This is an important security protection for session cookies.

If the HttpOnly flag (optional) is set, the cookie cannot be accessed through client-side script (again, if the browser supports this flag). As a result, even if a Cross-Site Scripting (XSS) flaw exists and a user accidentally accesses a link that exploits this flaw, the browser (primarily Internet Explorer) will not reveal the cookie to a third party.

See how to configure it!

Read more