Added protection against XSS cookie-theft attacks #12

merged 1 commit into from Apr 26, 2011


None yet

2 participants


I've added the HttpOnly attribute to session cookies in order to raise the barrier to XSS cookie theft. It seems like a zero-cost win so I though I'd share.

It's still a draft spec but already has significant browser support. Not sure of the exact status but the 2008 state is described on coding horror below:

@caolan caolan added a commit that referenced this pull request Apr 26, 2011
@caolan Merged pull request #12 from richmarr/master.
Added protection against XSS cookie-theft attacks
@caolan caolan merged commit a2e5c87 into caolan:master Apr 26, 2011
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment