Merge pull request #441 from bugcrowd/cookie-base-xss

Updates to recs for cookie-based XSS
bugcrowd · May 15, 2024 · 2fa695b · 2fa695b
2 parents b76c074 + 2e0b1e1
commit 2fa695b
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/submissions/description/cross_site_scripting_xss/cookie_based/Recommendations.md b/submissions/description/cross_site_scripting_xss/cookie_based/Recommendations.md
@@ -3,11 +3,14 @@
 There is no single technique to stop XSS from occurring. However, implementing the right combination of defensive measures within the application will prevent and limit the impact of XSS. Some best practices include the following:
 
 - All user input fields should be sanitized based on what the field is likely to contain. For example, a date field (01/01/2001) should only contain a maximum of 10 characters consisting of numbers and forward slashes. Additionally, drop down or pick lists can be used for allowable inputs to ensure expected values are sent to the server.
-- Use appropriate HTTP response headers to ensure the browser correctly interprets responses. These should be customized specific to the application and its environment. For example:
+- Use appropriate HTTP response headers to ensure the browser correctly interprets responses. These should be customized specific to the application and its environment. Additionally, include the `HttpOnly` flag in the Set-Cookie response header. For example:
 
     ``` HTTP
     X-Content-Type-Options: nosniff
     Content-Security-Policy: default-src ‘self’; script-src ‘self’
+    Set-Cookie: <name>=<value>[; <Max-Age>=<age>]
+    `[; expires=<date>][; domain=<domain_name>]
+    [; path=<some_path>][; secure][; HttpOnly]
     ```
 
 For more information, please see the Open Web Application Security Project (OWASP) guides located at: