How do I set the HttpOnly cookie attribute in CA API Developer Portal?

Document ID : KB000009926
Last Modified Date : 14/02/2018
Show Technical Document Details

My vulnerability scanner recommends that I implement the HttpOnly flag, also known as "secure cookies". I want to set the HttpOnly flag. How do I accomplish that?

  • HttpOnly is an additional flag, not it's own cookie. It is included in the Set-Cookie HTTP response header.
  • Using the HttpOnly flag helps mitigate the risks of client-side scripting / XSS attack vectors.
  • It tells the browser that this particular cookie should only be accessed by the server, and anything else is strictly forbidden.
  • This only works if the browser supports it, but nearly all modern browsers do. Do keep this in mind, though.
    • It is not a "silver bullet", it just makes it harder to collect data that nobody should have other than the server.
This article applies to all API Developer Portal with versions 3.x.

To implement the HttpOnly flag for the cookie, the following instructions should be followed:

  1. Stop the apiportal service: service apiportal stop
  2. Update /opt/Deployments/lrs/server/conf/server.xml by replacing <Context path="" docBase="ROOT"> with <Context path="" docBase="ROOT" useHttpOnly="true"> and then saving the changes.
  3. Start the apiportal service: service apiportal start
Additional Information:

Content on what the HttpOnly flag is, was inspired by the following webpages: