What is HTTP cookies?

HTTP cookies are generally known as internet/browser cookies. These cookies are commonly referred to as small blocks of data that are created by the web server at the time of a user is browsing a website. Cookies are placed on the user’s device in a certain browsing session to provide some useful functionality to the user and also track the user’s browsing activity. So in a short word, HTTP cookies contain some critically sensitive personal information that should be known to third parties. This information should be kept is private and protected from hackers.

What is XSS attack?

Some of the web applications may contain Cross-Site scripting or XSS type of vulnerability. By taking advantage of this vulnerability a hacker can attempt an XSS attack in which the hacker injects client-side scripts into web pages viewed by other users. By doing this a hacker can easily bypass the access controls like same-origin policy. So now the hacker is able to gain access to the targeted user’s HTTP cookies and all the sensitive data may be compromised.

Here we will discuss several attributes that can help to safeguard HTTP cookies from XSS attacks:

• Http only requests: This attribute is used to ensure that the cookies can only be accessed by the web server. It prevents access by any other client-side scripts like JavaScript(JS). This attribute prevents the hackers to launch XSS attacks by securing the cookie’s data from any type of stealing attempts through client-side code.
• Secure connection: This attribute intercepts the cookie data in a transition state i.e. it ensures that the cookie must be transmitted over a secure connection(HTTPS). It also prevents transmission over an unsecured connection( HTTP).
• Same Site transmission: This attribute is used to ensure that the cookie must be sent to the same site from which the cookie originated. It prevents cross-site request forgery (CSRF) attacks. The user may opt for “Strict” option for this attribute to prevent any cross-site access. It may be set to “Lax” option also to allow some cross-site access for user-initiated requests that are trustworthy requests by the users..
• Expires and Max-Age: These two attributes control the duration timing for which the cookie is valid i.e. the expiration time or the maximum age of a certain cookie. It is recommended to set a shorter expiration time which can limit the opportunity for attackers to steal the cookie data.
• Path: In order to prevent cookies from being sent to other sites on the same domain, this attribute is used to indicate the URL path that must be present in the requested URL.

In the conclusion, we can set the above-discussed attributes to the recommended formats to minimize the risk of XSS attacks by attackers/hackers targeting website’s HTTP cookies.