AccueilGlossaire › Cookie Security (Secure, HttpOnly flags)

Cookie Security (Secure, HttpOnly flags)

Sécurité

Flags Secure/HttpOnly/SameSite renforçant sécurité des cookies.

Cookie Security regroupe les attributs/flags HTTP cookies renforçant leur sécurité — Secure, HttpOnly, SameSite, Domain, Path, Max-Age. Configuration cookies critical car cookies souvent contiennent session tokens dont la compromission = account takeover.

Attributs principaux :
(1) **Secure** — cookie envoyé seulement sur HTTPS, jamais HTTP. Prevent transmission cleartext attaquables network sniffing.
(2) **HttpOnly** — cookie inaccessible à JavaScript (document.cookie). Mitigation contre XSS volant session tokens.
(3) **SameSite** — controls cross-site cookie sending. Three values :
- **Strict** — cookie sent only same-site. Max security mais break OAuth flows, cross-site links.
- **Lax** (default depuis Chrome 80, 2020) — cookie sent on top-level navigation (clicking links) but not on subresource loads (img, iframe) ou POST. Bon balance security/UX.
- **None** — cookie sent cross-site (requires Secure flag). Used for legitimate cross-site cookies (CDN auth, etc.).
(4) **Domain** — specifies which hosts receive cookie. Default = origin. `Domain=.example.com` shares across subdomains.
(5) **Path** — restricts cookie to URL path. Default = /.
(6) **Max-Age / Expires** — cookie lifetime. Session cookies (no Max-Age) deleted when browser closed.

Exemple secure cookie : `Set-Cookie: session=abc123; Secure; HttpOnly; SameSite=Lax; Max-Age=3600`

Best practices :
(1) **Always Secure + HttpOnly + SameSite=Lax** minimum pour session tokens.
(2) **SameSite=Strict** pour highly sensitive cookies (admin sessions, banking).
(3) **Short Max-Age** pour sensitive cookies (regenerate session on critical actions).
(4) **Cookie Prefix** : `__Secure-` requires Secure flag, `__Host-` requires Secure + no Domain (host-only) + Path=/. Names enforced by browser.
(5) **Rotate session tokens** on privilege escalation (login, role change).
(6) **CSRF protection** — even with SameSite=Lax, additional CSRF tokens for state-changing operations recommended.
(7) **Audit cookie usage** — pourquoi N cookies set par votre site ?

Attacks mitigées :
(1) **Session hijacking** via XSS → HttpOnly blocks.
(2) **Sniffing** plaintext HTTP → Secure blocks.
(3) **CSRF** → SameSite=Lax/Strict mitigates.
(4) **Subdomain attacks** → __Host- prefix.

Real incidents : Twitter 2018 session cookie leak (logged in HTTPS but cookies not Secure), countless XSS chains stealing JS-readable session cookies → HttpOnly est non-négociable. Compétences Security+, CISSP, OSCP.

Certifications qui couvrent ce concept
Security+ CISSP OSCP
Termes liés
SameSite Cookie Attribute CSRF (Cross-Site Request Forgery) XSS Protection (Cross-Site Scripting) JWT (JSON Web Token)

Préparez vos certifications IT gratuitement

200+ certifications, 400 000+ questions, examens blancs chronométrés.

Voir le catalogue →
← Retour au glossaire