Ensure HTTPOnly attribute on LTPA cookies

Information

When the com.ibm.ws.security.addHttpOnlyAttributeToCookies custom property is set to true, the HttpOnly attribute is added to those security cookies (LTPA and WASReqURL cookies) that are created by the server. The HttpOnly attribute is a browser attribute created to prevent client side applications (such as Java scripts) from accessing cookies to prevent some cross-site scripting vulnerabilities.

Solution

1. Expand Security
2. Click Global security
3. Click Custom Properties
4. Click New
5. Set Name as com.ibm.ws.security.addHttpOnlyAttributeToCookies and Value as true
6. Click Apply
7. Click Save
8. Restart the WebSphere Application Server

See Also

https://www.ibm.com/developerworks/websphere/zones/was/security/

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6

Plugin: Unix

Control ID: 2c8611f906097475efa741429df3d88d6578c36b40a780572761a921521fd622