how to set HttpOnly and Secure flag set in apache2.4.6 and tomcat

apache security httponly
Kobra Ghahremani picture Kobra Ghahremani · Dec 22, 2013 · Viewed 12.8k times · Source

I have an apache2.4.6 and dotcms2.3.2 in suselinux. I want to set httponly and secure falg in dotcms and tomcat . I set these configurations in apache and tomcat: <Context useHttpOnly="true"> in context.xml <Connector maxThreads="400" connectionTimeout="3000" port="8080" protocol="HTTP/1.1" redirectPort="8443" URIEncoding="UTF-8" secure="true" /> in server.xml

Header edit Set-Cookie ^(.*)$ $1;HttpOnly

or 

Header set Set-Cookie HttpOnly;Secure

in httpd.conf.

after that restart tomcat and test with burp suite , but it does't set in cookie .

Answer

Ferris picture Ferris · Jul 25, 2017 
Header set Set-Cookie HttpOnly;Secure

in httpd.conf works.

Related questions

PHP $_SERVER['HTTP_HOST'] vs. $_SERVER['SERVER_NAME'], am I understanding the man pages correctly?

I did a lot of searching and also read the PHP $_SERVER docs. Do I have this right regarding which to use for my PHP scripts for simple link definitions used throughout my site? $_SERVER['SERVER_NAME'] is based on …

Read More
Is there a way to force apache to return 404 instead of 403?

Is there a way how I can configure the Apache web server to return a 404 (not found) error code instead of 403 (forbidden) for some specific directories which I want to disallow to be accessed? I found some solutions suggesting the …

Read More
Why is SSLCertificateKeyFile needed for Apache?

What's the technical reason that SSLCertificateKeyFile is needed (the private key)? Where is that used and for what?

Read More