This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 88%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi one of security concerns is that implement Domain’, ‘HTTP Only’ and ‘Secure’ cookie attributes for internet facing web application
Here I require is that How to implement this and if i implement is any impact to SharePoint web application functionalities?
Hi @adil ,
Would you tell me whether your issue has been resolved or have any update ?
I am looking forward to your reply.
Have a nice day!
Hello @adil ,
Whether you like it or not, SharePoint bakes a lot of cookies and doesn’t secure them by default, leaving them potentially vulnerable to XSS attacks.
You can set the HttpOnly and Secure flags in IIS to lock the old cookies, making the use of cookies more secure.
You could refer to the following articles to learn more information:
Thanks,
Echo Du
================
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
this will working for sharepoint 2019 ?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(140.8, 11%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELD%3C/text%3E%3C/svg%3E)
Your comment says:
"It is better to use URL Rewrite and add the following to your web.config file". Is that two different things? What must you do with URL Rewrite? What rewrite rule should yo use? Or are you saying that you should use URL Rewrite TO add the rule to your web.config?
any idea why after add on the above code to web.config and URL rewrite the cookies still not see the HttpOnly and Secure is not checked ? (example of the WSS_FullScreenMode )
Did you get any solution for "WSS_FullScreenMode". I am also having the same issue.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 98%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMA%3C/text%3E%3C/svg%3E)
(SinPeow) Did you already solved your problem ? If is it true how did you solve it ?
hi all, security team mentioned not require for WSS_FullScreenMode to have HttpOnly checked . we not continue look into it.
did it some time ago for public-facing site running on Sharepoint - it worked, no side effects were found after that.