Set cookies to httponly and samesit to lax

Abonyi Francis 1

I hosted an angular JS application on windows IIS, when i viewed the application cookies on CHROME DEVELOPER TOOL, i noticed that some cookies were not set to HTTPONLY and SameSite not set to lax, meanwhile got some articles online on how to secure cookies which i used on my web.config yet am still getting some cookies HTTPONLY and samesite not set. Secondary i did not use any cookies on the application. Below is my web.config code.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="Angular Routes" stopProcessing="true">
<match url="." />
<conditions logicalGrouping="MatchAll">
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
<add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
</conditions>
<action type="Rewrite" url="./index.html" />
</rule>
<rule name="IbankRedirecturl" stopProcessing="true">
<match url="(.)" />
<conditions>
<add input="{HTTPS}" pattern="^OFF$" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" appendQueryString="false" />
</rule>
</rules>

<outboundRules>
<rule name="Use only secure cookies" preCondition="Unsecured cookie">
<match serverVariable="RESPONSE_SET_COOKIE" pattern="." negate="false" />
<action type="Rewrite" value="{R:0}; secure" />
</rule>
<rule name="Add HttpOnly" preCondition="Missing httpOnly cookie">
<match serverVariable="RESPONSE_Set_Cookie" pattern="." negate="false" />
<action type="Rewrite" value="{R:0}; HttpOnly" />
</rule>
<rule name="Ensure samesite Cookies" preCondition="Missing samesite cookie">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; SameSite=lax" />
</rule>
<preConditions>
<preCondition name="Unsecured cookie">
<add input="{RESPONSE_SET_COOKIE}" pattern="." />
<add input="{RESPONSE_SET_COOKIE}" pattern="; secure" negate="true" />
</preCondition>
<preCondition name="Missing httpOnly cookie">

<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; HttpOnly" negate="true" />
</preCondition>
<preCondition name="Missing samesite cookie">

<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; SameSite=lax" negate="true" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>

<httpProtocol>
<customHeaders>


<add name="X-Frame-Options" value="SAMEORIGIN" />

<add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains"/>

<add name="X-XSS-Protection" value="1; mode=block" />

<add name="X-Content-Type-Options" value="nosniff" />

<add name="Content-Security-Policy" value="default-src 'unsafe-inline' 'self' https://ibankapi.lotusbank.com https://ibank.lotusbank.com; script-src 'unsafe-inline' 'self' https://ibank.lotusbank.com" />

<add name="Referrer-Policy" value="strict-origin" />

</customHeaders>

</httpProtocol>
</system.webServer>
<system.web>

</system.web>
</configuration>

1 answer

Bruce Zhang-MSFT 3,736 Reputation points

2021-09-22T05:52:52.6+00:00

Hi @Abonyi Francis ,

I have tested your rewrite rule. It can work well and set response cookie.

From screenshoot, you can see that each precondition and outbound rule matched success. If them cannot work for you, please enable failed request tracing to check which step has issue.

If the answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our  documentation  to enable e-mail notifications if you want to receive the related email notification for this thread.

Best regards,
Bruce Zhang
Please sign in to rate this answer.

0 comments No comments
Sign in to comment