Cookie secure and HTTPOnly Attributes in Vestacp

Vestacp is an open source server management tool. Once you install it on server it becomes an integral part of your server. Also, it comes under any PCI compliance scans you would run on your server. In my case I was running PCI compliance scan by Qualys and it failed for the Cookie secure and HTTPOnly attributes, something like this:

  • Cookie Does Not Contain The “HTTPOnly” Attribute
  • Cookie Does Not Contain The “secure” Attribute

What are Cookie secure and HTTPOnly attributes?

Websites use cookies to create a communication channel between user and server. A website not using an SSL certificate works through HTTP. In HTTP channel data is transferred in plain text. It applies to cookies as well. Since data is in plain text any attacker can eavesdrops between the user and server to read the data.

Website using SSL uses secured HTTPS protocol to communicate with user. In this case if an attacker intercepts the communication and tries to read the data he won’t as data is encrypted and almost impossible to read.

Now here question arises that if my website uses HTTPS why do I need to set HTTPOnly and secure attributes. There is a catch there. Any website using HTTPS can also be accessed through HTTP. Most site owners implement a redirection mechanism so that any non HTTPS requests are routed to HTTPS protocol.

With this possibility to reach website with HTTP we need to tell the server or script to not use HTTP or plain text protocol to deliver cookies and only deliver them using HTTPS channel only.

How to make HTTPOnly and secure Cookie attributes work?

Implementing Cookie secure and HTTPOnly on Apache server

In Apache you can edit httpd.conf file to add the following rule to headers as following.

  1. Make sure that mod_headers module is enabled
  2. Add the following code to httpd.conf file
    <IfModule mod_headers.c>  
       Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

    Note: Header edit is not compatible with lower than Apache 2.2.4 version. So the following code should be used, within the <ifModule> block, of course.

    Header set Set-Cookie HttpOnly;Secure
  3. Restart Apache to view the change

In nginx server

  1. Set the following in nginx.conf file under server or http directives. Example:
    server {
        proxy_cookie_path / "/; secure; HttpOnly";
  2. Restart nginix

In vestacp

Vestacp has its own nginx and httpd builds
Location of nginx.conf in vest where you could add proxy_cookie_path option is:
Make same changes as described in nginx.cong:
server {
    proxy_cookie_path / "/; secure; HttpOnly";
Do the same for httpd.conf
<IfModule mod_headers.c>  
   Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
Restart vestacp with:
service vesta restart

Hint: In Vestacp there is a Server section where you can edit Apache & nginx conf files through admin panel. Just add the above given lines of code and save with Restart option checked. It should take effect.

If making changes to httpd.conf and/or nginx.conf does not work try changing session settings in php.ini file. Location of php.ini in my Centos 7 system was /usr/local/vesta/php/lib/php.ini

Once located search for these two settings in your file and set them to 1

  1. session.cookie_secure=1
  2. session.http_only=1

After making changes to settings in vestacp from ssh restart vestacp service:

service vesta restart

Leave a Reply