+1 Thanks & regards, -Prabath
On Wed, Sep 9, 2015 at 6:38 AM, Supun Malinga <sup...@wso2.com> wrote: > Hi, > > In order to prevent attacks we should do $subject. For this there are > couple of things specified in the security checklist. > > 1. cookies are exposed only over HTTP > in repository/conf/tomcat/context.xml set, > *useHttpOnly="true"* > > 2. cookies are exposed only over HTTPS > in all web.xml configs set, > <session-config> > <cookie-config> > *<secure>true</secure>* > </cookie-config> > </session-config> > > Shall we enable these by default from kernel level where applicable?. > > [1] https://www.owasp.org/index.php/HttpOnly > > thanks, > -- > Supun Malinga, > > Senior Software Engineer, > WSO2 Inc. > http://wso2.com > email: sup...@wso2.com <sup...@wso2.com> > mobile: +94 (0)71 56 91 321 > -- Thanks & Regards, Prabath Twitter : @prabath LinkedIn : http://www.linkedin.com/in/prabathsiriwardena Mobile : +1 650 625 7950 http://blog.facilelogin.com http://blog.api-security.org
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev