We earn commission when you buy through affiliate links.
This does not influence our reviews or recommendations.Learn more.
Using HttpOnly in Set-Cookie helps in mitigating the most common risk of an XSS attack.
This can be either done within an tool by developers or implementing the following in Tomcat.
Lets see how to achieve this.
Implement HttpOnly & Secure flag in Tomcat 6.x
Ex:
Next, adding a secure flag.
Implementing in Tomcat 7.x/8.x/9.x
Verification
There are multiple ways.
However, if Internet-facing or want to test it externally then it can useHTTP Header Checkeronline tool.
I hope this adds a layer ofTomcat security.
Learn more about Tomcat administrationhere.
