knowledgebase sub-category
Add the following lines to web.config:
<configuration>
<location path=".">
<system.webServer>
<directoryBrowse enabled="false" />
</system.webServer>
</location>
</configuration>
http://msdn.microsoft.com/en-us/library/ff649337.aspx
http://blogs.iis.net/bills/archive/2008/03/24/how-to-enable-directory-br…
Add the following line into section 1(Global Environment) of httpd.conf, this line will load the headers_module module, which provides directives to control and modify HTTP request and response headers.
LoadModule headers_module modules/mod_headers.so
After loading the headers_module module, add the following line into section 3(Main Server Config) of httpd.conf
Header edit Set-Cookie ^(.*)$ $1;Secure
Add the following code on the page
ini_set("session.cookie_secure", 1);
Add the following code on the page:
session_set_cookie_params(0, NULL, NULL, TRUE, NULL);
Add the following code when creating cookie:
setcookie("name", "value", NULL, NULL, NULL, TRUE, NULL);
https://www.owasp.org/index.php/SecureFlag
http://php.net/manual/en/function.setcookie.php
http://php.net/manual/en/function.session-set-cookie-params.php
Create Cookie by setting secure property true:
HttpCookie cookie = new HttpCookie('name');
cookie.Secure = True;
cookie.Value = 'Value';
Add the following codes to web.config
<system.web> <httpCookies requireSSL="true" /> </system.web>
Create secure cookie by calling setSecure method, which allows cookie to be secure
Cookie newCookie = new Cookie("name","value");
newCookie.setSecure(true);
Add the following lines to web.xml file of the project to make the cookie secure.
<session-config> <cookie-config> <secure>true</secure> </cookie-config> </session-config>
PHP supports setting the HttpOnly flag since version 5.2.0 (November 2006).
For session cookies managed by PHP, the flag is set either permanently in php.ini through the parameter:
session.cookie_httponly = True
Add the following code on the page:
ini_set("session.cookie_httponly", 1);
setcookie("name", "value", NULL, NULL, NULL, NULL, TRUE);
Add the following code on the page:
session_set_cookie_params(0, NULL, NULL, NULL, TRUE);
setcookie("name", "value", NULL, NULL, NULL, NULL, TRUE);
Add the following code while creating cookie (not necessarily a session cookie):
setcookie("name", "value", NULL, NULL, NULL, NULL, TRUE);
http://php.net/manual/en/function.setcookie.php
http://php.net/manual/en/function.session-set-cookie-params.php
http://php.net/manual/en/session.configuration.php#ini.session.cookie-ht…
Add the following configuration to your web.config:
<system.web>
<httpCookies httpOnlyCookies="true" />
</system.web>
In the code, use the System.Web.HttpCookie.HttpOnly property:
// Create an HttpOnly cookie.
HttpCookie theHttpOnlyCookie = new HttpCookie("LastVisit", DateTime.Now.ToString());
// Setting the HttpOnly value to true, makes
// this cookie accessible only to ASP.NET.
theHttpOnlyCookie.HttpOnly = true;
theHttpOnlyCookie.Name = "TheHttpOnlyCookie";
Response.AppendCookie(theHttpOnlyCookie);
// Show the name of the HttpOnly cookie.
Response.Write(theHttpOnlyCookie.Name);
Add the following on cookie creation
String sessionid = request.getSession().getId();
response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; HttpOnly");
Add the following lines into web.xml file
<session-config> <cookie-config> <http-only>true</http-only> </cookie-config> <session-config>
https://www.owasp.org/index.php/HttpOnly#Using_Java_to_Set_HttpOnly
// to prevent all framing of this content response.addHeader( "X-FRAME-OPTIONS", "DENY" ); // to allow framing of this content only by this site response.addHeader( "X-FRAME-OPTIONS", "SAMEORIGIN" );
<style> html{display : none ; } </style>
<script>
if( self == top ) {
document.documentElement.style.display = 'block' ;
} else {
top.location = self.location ;
}
</script>
https://www.owasp.org/index.php/Clickjacking_Protection_for_Java_E
Add the code to the Application_BeginRequest method of global.asax file
void Application_BeginRequest(object sender, EventArgs e)
{
HttpContext.Current.Response.AddHeader("x-frame-options", "DENY");
}
<style> html{display : none ; } </style>
<script>
if( self == top ) {
document.documentElement.style.display = 'block' ;
} else {
top.location = self.location ;
}
</script>
http://technet.microsoft.com/en-us/security/cc242650
http://blogs.msdn.com/b/sdl/archive/2009/02/05/clickjacking-defense-in-i…
