question

adilahmed avatar image
0 Votes"
adilahmed asked SinPeow commented

Implement Domain’, ‘HTTP Only’ and ‘Secure’ cookie attributes for internet facing web application

Hi one of security concerns is that implement Domain’, ‘HTTP Only’ and ‘Secure’ cookie attributes for internet facing web application
Here I require is that How to implement this and if i implement is any impact to SharePoint web application functionalities?

office-sharepoint-server-administration
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @adilahmed ,

Would you tell me whether your issue has been resolved or have any update ?
I am looking forward to your reply.

Have a nice day!

0 Votes 0 ·
EchoDu-MSFT avatar image
1 Vote"
EchoDu-MSFT answered SinPeow commented

Hello @adilahmed ,

Whether you like it or not, SharePoint bakes a lot of cookies and doesn’t secure them by default, leaving them potentially vulnerable to XSS attacks.

You can set the HttpOnly and Secure flags in IIS to lock the old cookies, making the use of cookies more secure.

  1. Enable HttpOnly Flag in IIS
    Edit the web.config file of your web application and add the following:

    <system.web>
    ...
    <httpCookies httpOnlyCookies="true" requireSSL="true" />
    ...
    </system.web>

  2. Enable Secure Flag in IIS
    It is better to use URL Rewrite and add the following to your web.config file:

    <system.webServer>
    <rewrite>
    <outboundRules>
    <rule name="Use only secure cookies" preCondition="Unsecured cookie">
    <match serverVariable="RESPONSE_SET_COOKIE" pattern=".*" negate="false" />
    <action type="Rewrite" value="{R:0}; secure" />
    </rule>
    <preConditions>
    <preCondition name="Unsecured cookie">
    <add input="{RESPONSE_SET_COOKIE}" pattern="." />
    <add input="{RESPONSE_SET_COOKIE}" pattern="; secure" negate="true" />
    </preCondition>
    </preConditions>
    </outboundRules>
    </rewrite>
    ...
    </system.webServer>

43464-vs.png

You could refer to the following articles to learn more information:

Thanks,
Echo Du
================
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.





vs.png (7.3 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

this will working for sharepoint 2019 ?

0 Votes 0 ·
sadomovalex avatar image
0 Votes"
sadomovalex answered

did it some time ago for public-facing site running on Sharepoint - it worked, no side effects were found after that.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.