After a PenTest was told to set the HttpOnly flag on all of our cookies.
We have an Ubuntu Server 22.04 & 24.04 LAMP stack with a WordPress website. I have made changes to
- /etc/apache2/apache2.conf
- /etc/php/8.3/php.ini
- /var/www/html/wp-config.php
Each time, after clearing cookies in an Incognito (or InPrivate) Window and refreshing I see in the developer view in the browser the flags for HttpOnly or Secure are not checked.
what I have done
APACHE
First I make sure mod_headers is enabled by verifying headers.conf is located in /etc/apache2/mods-available/ and /etc/apache2/mods-enabled/.
In the /etc/apache2/apache2.conf file I add
<VirtualHost *:80>
Header edit Set-Cookie "(?i)^((?:(?!;\s?HttpOnly).)+)$" "$1; HttpOnly"
# or
Header edit Set-Cookie ^(.*)$ "$1;HttpOnly"
</VirtualHost>
PHP
I add to or make sure these lines are uncommented in the /etc/php/8.3/fpm/php.ini file the following commands.
session.cookie_httponly = 1
session.cookie_secure = 1
session.use_only_cookies = 1
For good measure I set this also in the /etc/php/8.3/cli/php.ini file as well.
WP-CONFIG.PHP
The third place I’ve read to make setting changes is in the wp-config.php file found at the root of the WordPress site. So in my case, at /var/www/html/wp-config.php.
@ini_set('session.cookie_httponly', true);
@ini_set('session.cookie_secure', true);
@ini_set('session.use_only_cookies', true);
These lines are put in the file between these two commented lines in the file.
/* Add any custom values between this line and the "stop editing" line. */
/* That's all, stop editing! Happy publishing. */
RESTART APACHE
Then I test and restart Apache
# check the syntax
sudo apachectl -t
# restart
sudo systemctl restart apache2
# check
sudo systemctl status apache2
CHECK THE BROWSER
Then I delete the cookies, refresh the page or close the browser and re-open the site in Incognito or InPrivate mode, but the cookies never show HttpOnly or Secure being flagged.