Versions Compared

Old Version 13

changes.mady.by.user Jacques Le Roux

Saved on

compared with

New Version 14

changes.mady.by.user Jacques Le Roux

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Set-Cookie doc

...

According to Wikipedia and Owasp, the only defined value, "nosniff", prevents Internet Explorer from MIME-sniffing a response away from the declared content-type. This also applies to Google Chrome, when downloading extensions.

X-XSS-Protection

The secure flag on cookies instructs the browser to only submit the cookie as part of requests over secure (HTTPS) connections. This prevents the cookie from being observed as plain text in transit over the network.

The HttpOnly flag instructs the browser that this cookie can only be accessed when sending an HTTP request. This prevents scripts running as part of a page from retrieving the value and is a defense against XSS attacks.

https://www.owasp.org/index.php/HttpOnly

https://www.owasp.org/index.php/Testing_for_cookies_attributes_%28OWASP-SM-002%29

https://tomcat.apache.org/migration-7.html#Session_cookie_configuration This is not Tomcat 7 specific but Servlet 3.0 standard!

X-Powered-By

It's recommended to not use the X-Powered-By header. Including information about the server provides no tangible benefit to either the browser or user. It can direct an attacker to known vulnerabilities in the server version and should therefore be avoided.

...