How do I set the HttpOnly cookie attribute in CA API Developer Portal?

Document ID : KB000009926
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

My vulnerability scanner recommends that I implement the HttpOnly flag, also known as "secure cookies". I want to set the HttpOnly flag. How do I accomplish that?

Background:
  • HttpOnly is an additional flag, not it's own cookie. It is included in the Set-Cookie HTTP response header.
  • Using the HttpOnly flag helps mitigate the risks of client-side scripting / XSS attack vectors.
  • It tells the browser that this particular cookie should only be accessed by the server, and anything else is strictly forbidden.
  • This only works if the browser supports it, but nearly all modern browsers do. Do keep this in mind, though.
    • It is not a "silver bullet", it just makes it harder to collect data that nobody should have other than the server.
Environment:
This article applies to all API Developer Portal with versions 3.x.
Instructions:

To implement the HttpOnly flag for the cookie, the following instructions should be followed:

  1. Stop the apiportal service: service apiportal stop
  2. Update /opt/Deployments/lrs/server/conf/server.xml by replacing <Context path="" docBase="ROOT"> with <Context path="" docBase="ROOT" useHttpOnly="true"> and then saving the changes.
  3. Start the apiportal service: service apiportal start
Additional Information:

Content on what the HttpOnly flag is, was inspired by the following webpages: