In the field of web security, cross-site scripting attacks are the most common form of attack, and it has been a long-standing problem, and this article will introduce readers to a technology to alleviate this pressure, namely HTTP-only cookies.
1. Introduction to XSS and HTTP-only Cookies
Cross-site scripting attacks are one of the common problems plaguing web server security. Cross-site scripting attacks are a server-side security vulnerability that is often caused by server-side failure to properly filter user input when submitted as HTML. Cross-site scripting attacks can cause sensitive information of website users to be leaked. To reduce the risk of cross-site scripting attacks, Microsoft's Internet Explorer 6 SP1 introduces a new feature.
Cookies are set to HttpOnly to prevent XSS attacks and steal cookie contents, which increases the security of cookies, and even so, do not store important information in cookies.
The purpose of setting HttpOnly is to prevent XSS attacks by preventing JS from reading cookies.
If you can read it in JS, what's the point of having HttpOnly?
In fact, to put it bluntly, it is to prevent javascrip{filtering}t from reading some cookies, that is, contracts and conventions, which stipulate that javascrip{filtering}t is not allowed to read cookies with HttpOnly, that's all.
|
Posted on 9/18/2016 3:28:30 PM
|
|
|
