Hello @adil ,
Whether you like it or not, SharePoint bakes a lot of cookies and doesn’t secure them by default, leaving them potentially vulnerable to XSS attacks.
You can set the HttpOnly and Secure flags in IIS to lock the old cookies, making the use of cookies more secure.
- Enable HttpOnly Flag in IIS
Edit the web.config file of your web application and add the following: <system.web>
...
<httpCookies httpOnlyCookies="true" requireSSL="true" />
...
</system.web> - Enable Secure Flag in IIS
It is better to use URL Rewrite and add the following to your web.config file: <system.webServer>
<rewrite>
<outboundRules>
<rule name="Use only secure cookies" preCondition="Unsecured cookie">
<match serverVariable="RESPONSE_SET_COOKIE" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; secure" />
</rule>
<preConditions>
<preCondition name="Unsecured cookie">
<add input="{RESPONSE_SET_COOKIE}" pattern="." />
<add input="{RESPONSE_SET_COOKIE}" pattern="; secure" negate="true" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
...
</system.webServer>
You could refer to the following articles to learn more information:
- How to Enable Secure HttpOnly Cookies in IIS
- SharePoint Server Hardening and SPWebConfigModification
Thanks,
Echo Du
================
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.