Tutorial Apache - Enable the HTTPONLY and SECURE headers

Would you like to learn how to enable HTTPONLY and SECURE flags on the Apache server? In this tutorial, we are going to show you how to protect your website Cookies by adding the HTTPONLY and SECURE headers on the apache server.

• Ubuntu 20
• Ubuntu 19
• Ubuntu 18
• Apache 2.4.41

In our example, the Apache server is hosting the website WWW.GAMEKING.TIPS

Copyright © 2018-2021 by Techexpert.tips.
All rights reserved. No part of this publication may be reproduced, distributed, or transmitted in any form or by any means without the prior written permission of the publisher.

Apache – Related Tutorial:

On this page, we offer quick access to a list of tutorials related to Apache.

Tutorial Apache – Enable the HttpOnly and Secure flag

Install the Apache server.

Copy to Clipboard

Enable the required Apache modules.

Copy to Clipboard

Edit the Apache configuration file for the website.

Copy to Clipboard

If your website supports only HTTP, Add the following lines at the end of the file.

Copy to Clipboard

If your website supports only HTTPS, Add the following lines at the end of the file.

Copy to Clipboard

Restart the Apache service.

Copy to Clipboard

The HTTPONLY flag increases the COOKIE’s protection, by not allowing access through client-side scripts.

The SECURE flag increases the security even further, by allowing only COOKIE requests through an HTTPS connection.

Create a PHP file to test the HTTPONLY configuration.

Copy to Clipboard

Here is the file content.

Copy to Clipboard

<?php
   setcookie("NAME", "BRUNO", time()+600, "/","", 0);
?>
<html>
   <body>
      <?php echo "Cookies created"?>
   <script>var rocket_beacon_data = {"ajax_url":"https:\/\/techexpert.tips\/wp-admin\/admin-ajax.php","nonce":"87cfaf3ddc","url":"https:\/\/techexpert.tips\/apache\/apache-enable-httponly-secure-headers","is_mobile":false,"width_threshold":1600,"height_threshold":700,"delay":500,"debug":null,"status":{"atf":true,"lrc":true},"elements":"img, video, picture, p, main, div, li, svg, section, header, span","lrc_threshold":1800}</script><script data-name="wpr-wpr-beacon" src='https://techexpert.tips/wp-content/plugins/wp-rocket/assets/js/wpr-beacon.min.js' async></script><script>"use strict";function wprRemoveCPCSS(){var preload_stylesheets=document.querySelectorAll('link[data-rocket-async="style"][rel="preload"]');if(preload_stylesheets&&0<preload_stylesheets.length)for(var stylesheet_index=0;stylesheet_index<preload_stylesheets.length;stylesheet_index++){var media=preload_stylesheets[stylesheet_index].getAttribute("media")||"all";if(window.matchMedia(media).matches)return void setTimeout(wprRemoveCPCSS,200)}var elem=document.getElementById("rocket-critical-css");elem&&"remove"in elem&&elem.remove()}window.addEventListener?window.addEventListener("load",wprRemoveCPCSS):window.attachEvent&&window.attachEvent("onload",wprRemoveCPCSS);</script><noscript><link data-minify="1" rel='stylesheet' id='wpml-blocks-css' href='https://d1ny9casiyy5u5.cloudfront.net/wp-content/cache/min/1/wp-content/plugins/sitepress-multilingual-cms/dist/css/blocks/styles.css?ver=1731863059' type='text/css' media='all' /><link rel='stylesheet' id='wpml-menu-item-0-css' href='https://d1ny9casiyy5u5.cloudfront.net/wp-content/plugins/sitepress-multilingual-cms/templates/language-switchers/menu-item/style.min.css?ver=1' type='text/css' media='all' /><link rel='stylesheet' id='fusion-core-comment-form-css' href='https://d1ny9casiyy5u5.cloudfront.net/wp-content/plugins/fusion-core/css/comment-form.min.css?ver=5.11.11' type='text/css' media='all' /><link rel='stylesheet' id='fusion-core-privacy-css' href='https://d1ny9casiyy5u5.cloudfront.net/wp-content/plugins/fusion-core/css/privacy.min.css?ver=5.11.11' type='text/css' media='all' /><link rel='stylesheet' id='avada-stylesheet-css' href='https://d1ny9casiyy5u5.cloudfront.net/wp-content/themes/Avada/assets/css/style.min.css?ver=7.11.11' type='text/css' media='all' /><link rel='stylesheet' id='wp-codemirror-css' href='https://d1ny9casiyy5u5.cloudfront.net/wp-includes/js/codemirror/codemirror.min.css?ver=5.29.1-alpha-ee20357' type='text/css' media='all' /><link rel='stylesheet' id='code-editor-css' href='https://techexpert.tips/wp-admin/css/code-editor.min.css?ver=6.7' type='text/css' media='all' /><link rel='stylesheet' id='wp-block-library-css' href='https://d1ny9casiyy5u5.cloudfront.net/wp-includes/css/dist/block-library/style.min.css?ver=6.7' type='text/css' media='all' /></noscript></body>
</html>

This test requires that your Apache server supports PHP.

From a remote Linux computer, try to access this page.

Copy to Clipboard

Here is the command output with the flag HTTPONLY enabled.

Copy to Clipboard

Here is the command output with the flags HTTPONLY and SECURE enabled.

Copy to Clipboard

Congratulations! You are able to enable the flags HTTPONLY and SECURE on the Apache server.

Apache – Enable the HTTPONLY and SECURE headers

Apache – Enable the HTTPONLY and SECURE headers

Equipment list

Apache – Related Tutorial:

Tutorial Apache – Enable the HttpOnly and Secure flag

Apache – Enable the HTTPONLY and SECURE headers

Apache – Enable the HTTPONLY and SECURE headers

Equipment list

Apache – Related Tutorial:

Tutorial Apache – Enable the HttpOnly and Secure flag

Related Posts