XSS attacks when setting cookies
We all know that many XSS attacks aim to obtain users' cookie information. The most common method is to transmit cookies to other servers by setting src in js.
So how can we prevent js from getting cookies? Here is a simple method. Taking PHP as an example, we seldom write the following parameters when setcookie, and basically write the data to the date, take a look at its parameter settings.
Bool setcookie (string $ name [, string $ value [, int $ expire = 0 [, string $ path [, string $ domain [, bool $ secure = false [, bool $ httponly = false])
What is the next $ httponly? They actually set to send cookies only under http. For example, if $ httponly is set to true, they cannot be obtained when js is used to obtain cookies. You can try it, although not all browsers support it and there are other ways to obtain cookies, it can reduce some security vulnerabilities.
Welcome to the discussion!