800-63-3 icon indicating copy to clipboard operation
800-63-3 copied to clipboard

Published 20 hours ago verified publisher icon usnistgov

Require HttpOnly browser cookies

Open jimfenton opened this issue 5 years ago • 2 comments

In 800-63B Section 7.1.1, use of HttpOnly is a SHOULD. Consider making it a SHALL to improve resistance to XSS and similar attacks.

jimfenton avatar Jun 18 '19 19:06 jimfenton

"SHOULD" seems proportionate to me. Setting HttpOnly in cookies will preclude the use of certain types of cross-origin requests, where tokens are needed in JavaScript.

There are sometimes alternatives using CORS and cross-origin requests with .withCredentials = true, but these can be more complicated to implement without advance planning.

Perhaps there's some language that could convey "should set HttpOnly without a specific good reason not to".

brodygov avatar Jun 25 '19 22:06 brodygov

For what it's worth, the normative "SHOULD" translates to "do this unless you have a very good and very specific reason not to do it", so I am in favor of keeping this a SHOULD, but perhaps with better explanation as to WHY.

jricher avatar Jul 12 '19 20:07 jricher