Implement Domain’, ‘HTTP Only’ and ‘Secure’ cookie attributes for internet facing web application

adil 1,226 Reputation points
2020-11-29T09:19:05.547+00:00

Hi one of security concerns is that implement Domain’, ‘HTTP Only’ and ‘Secure’ cookie attributes for internet facing web application
Here I require is that How to implement this and if i implement is any impact to SharePoint web application functionalities?

SharePoint Server Management
SharePoint Server Management
SharePoint Server: A family of Microsoft on-premises document management and storage systems.Management: The act or process of organizing, handling, directing or controlling something.
2,948 questions
{count} votes

Accepted answer
  1. Echo Du_MSFT 17,161 Reputation points
    2020-11-30T03:23:11.17+00:00

    Hello @adil ,

    Whether you like it or not, SharePoint bakes a lot of cookies and doesn’t secure them by default, leaving them potentially vulnerable to XSS attacks.

    You can set the HttpOnly and Secure flags in IIS to lock the old cookies, making the use of cookies more secure.

    1. Enable HttpOnly Flag in IIS
      Edit the web.config file of your web application and add the following: <system.web>
      ...
      <httpCookies httpOnlyCookies="true" requireSSL="true" />
      ...
      </system.web>
    2. Enable Secure Flag in IIS
      It is better to use URL Rewrite and add the following to your web.config file: <system.webServer>
      <rewrite>
      <outboundRules>
      <rule name="Use only secure cookies" preCondition="Unsecured cookie">
      <match serverVariable="RESPONSE_SET_COOKIE" pattern=".*" negate="false" />
      <action type="Rewrite" value="{R:0}; secure" />
      </rule>
      <preConditions>
      <preCondition name="Unsecured cookie">
      <add input="{RESPONSE_SET_COOKIE}" pattern="." />
      <add input="{RESPONSE_SET_COOKIE}" pattern="; secure" negate="true" />
      </preCondition>
      </preConditions>
      </outboundRules>
      </rewrite>
      ...
      </system.webServer>

    43464-vs.png

    You could refer to the following articles to learn more information:

    Thanks,
    Echo Du

    ================

    If an Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.

2 additional answers

Sort by: Most helpful
  1. SinPeow 86 Reputation points
    2022-06-17T03:54:21.267+00:00

    any idea why after add on the above code to web.config and URL rewrite the cookies still not see the HttpOnly and Secure is not checked ? (example of the WSS_FullScreenMode )

    1 person found this answer helpful.

  2. sadomovalex 3,631 Reputation points
    2020-12-02T15:11:22.437+00:00

    did it some time ago for public-facing site running on Sharepoint - it worked, no side effects were found after that.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.