Set-Cookie: COOKIE=VAL; path=/; domain=.domain.com; secure; HttpOnly
Considering the information of the response headers depends on the technology used to power the website, it is common to have this information deliberately ambiguous because each programming language and technology stack has its own way to do this.
For websites powered by PHP you can add the “HttpOnly” flag to the cookies using either the
setrawcookie built-in functions. You can achieve the same result adding headers manually like this:
// Using the SetCookie built-in PHP function. setcookie( $name, // Name of the cookie. $value, // Value of the cookie. $expire, // Time the cookie expires in Unix timestamp. $path, // Path on the server in which the cookie will be. $domain, // The domain that the cookie is available to. $secure, // Transmitted only over a secure HTTPS connection. $httponly // Make accessible only through the HTTP protocol. ); // Using the SetRawCookie built-in PHP function. setrawcookie( [same parameter as setcookie] ); // Modifying the information of the response headers manually. header( 'Set-Cookie: name=value; HttpOnly' );
These documents explain it in detail:
It is important to mention that most web scanners like Sucuri SiteCheck will display a warning if at least one cookie (in case there are more than one) is missing the “HttpOnly” flag. For instance, this website has two cookies and only one of them is secured:
$ curl --head 'http://example.com/' HTTP/1.1 200 OK Server: Apache Pragma: no-cache Date: Wed, 01 Jan 2015 00:00:01 GMT Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Set-Cookie: abc_16951=a56f2718; expires=Wed, 31-Dec-2999 23:59:59 GMT; path=/; HttpOnly Set-Cookie: PHPSESSID=c543d1b48df7a597947f5556cbe06628; path=/ Content-Type: text/html; charset=UTF-8