Implement Domain’, ‘HTTP Only’ and ‘Secure’ cookie attributes for internet facing web application

adil 1,136 Reputation points

Hi one of security concerns is that implement Domain’, ‘HTTP Only’ and ‘Secure’ cookie attributes for internet facing web application
Here I require is that How to implement this and if i implement is any impact to SharePoint web application functionalities?

SharePoint Server Management
SharePoint Server Management
SharePoint Server: A family of Microsoft on-premises document management and storage systems.Management: The act or process of organizing, handling, directing or controlling something.
2,647 questions
{count} votes

Accepted answer
  1. Echo Du_MSFT 17,031 Reputation points

    Hello @adil ,

    Whether you like it or not, SharePoint bakes a lot of cookies and doesn’t secure them by default, leaving them potentially vulnerable to XSS attacks.

    You can set the HttpOnly and Secure flags in IIS to lock the old cookies, making the use of cookies more secure.

    1. Enable HttpOnly Flag in IIS
      Edit the web.config file of your web application and add the following: <system.web>
      <httpCookies httpOnlyCookies="true" requireSSL="true" />
    2. Enable Secure Flag in IIS
      It is better to use URL Rewrite and add the following to your web.config file: <system.webServer>
      <rule name="Use only secure cookies" preCondition="Unsecured cookie">
      <match serverVariable="RESPONSE_SET_COOKIE" pattern=".*" negate="false" />
      <action type="Rewrite" value="{R:0}; secure" />
      <preCondition name="Unsecured cookie">
      <add input="{RESPONSE_SET_COOKIE}" pattern="." />
      <add input="{RESPONSE_SET_COOKIE}" pattern="; secure" negate="true" />


    You could refer to the following articles to learn more information:

    Echo Du


    If an Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.

2 additional answers

Sort by: Most helpful
  1. sadomovalex 3,621 Reputation points

    did it some time ago for public-facing site running on Sharepoint - it worked, no side effects were found after that.

    0 comments No comments

  2. SinPeow 61 Reputation points

    any idea why after add on the above code to web.config and URL rewrite the cookies still not see the HttpOnly and Secure is not checked ? (example of the WSS_FullScreenMode )