星期四, 6月 19, 2014

[網站資安] Http Only 保護網站的cookie不被偷取

一般網站常用cookie來記錄使用者的token,重要的cookie請使用http only來做保護。

HttpOnly cookies can in fact be remarkably effective. Here's what we know:
  • HttpOnly restricts all access to document.cookie in IE7, Firefox 3, and Opera 9.5 (unsure about Safari)
  • HttpOnly removes cookie information from the response headers in XMLHttpObject.getAllResponseHeaders() in IE7. It should do the same thing in Firefox, but it doesn't, because there's a bug.
  • XMLHttpObjects may only be submitted to the domain they originated from, so there is no cross-domain posting of the cookies.

沒有留言:

張貼留言

留個話吧:)

其他你感興趣的文章

Related Posts with Thumbnails