Menu
Hi I have a project in node.js and I want to set the HttpOnly flag: true for header response.
I have written the following code in app.js but it make no effect in response header .
app.use(session({
secret: "notagoodsecretnoreallydontusethisone",
resave: false,
saveUninitialized: true,
cookie: {httpOnly: true, secure: true}
}));
So any suggestion for setting HttpOnly Flag in express.js is most welcome.
352
Here is how you can tell Express to set your cookie using the HttpOnly flag: 1 res.cookie('sessionid','1',{httpOnly:true});
You can set up nginx to handle the ssl requests and just speak http to your node app.js. For systems on using AWS, you are better off using EC2 Elastic Load Balancers to handle SSL Termination, and allow regular HTTP traffic to your EC2 web servers.
HttpOnly HttpOnly is a flag that can be included in a Set-Cookie response header. The presence of this flag will tell browsers to not allow client side script access to the cookie (if the browser supports it). This is important because it helps protect your cookie data from malicious scripts and helps mitigate the most common XSS attacks.
With feature flags in my Node apps, I’m able to push all my latest code to production and not worry about unfinished features that I’m still working on.
I think you could try this!
app.use(session({
cookieName: 'sessionName',
secret: "notagoodsecretnoreallydontusethisone",
resave: false,
saveUninitialized: true,
httpOnly: true, // dont let browser javascript access cookie ever
secure: true, // only use cookie over https
ephemeral: true // delete this cookie while browser close
}));
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
