What are Secure Cookies?

HTTP cookies are small packets of data stored in your browser. This data may contain sensitive data like passwords or user information and is therefore vulnerable for attacks. To limit vulnerability you can ‘secure’ your cookies by adding specific attributes to the set cookies, making it harder to manipulate by outsiders.

Cookies are set by almost every website and are used for a lot of different things, like user tracking, affiliate marketing and authentication. Really Simple Security uses the HttpOnly, secure and use_only_cookies parameters to make cookies more secure, when possible. Since Really Simple Security helps you in securing your website by switching your site to SSL, we feel like making these changes to the plugin is a simple way in which we can contribute to the overall safety of your website.

HttpOnly

The HttpOnly flag will tell the browser that this cookie can only be accessed by the server. The main benefit of this is that it prevents cross-site scripting (XSS). For example, this will prevent requests from malicious JavaScript files trying to steal cookies.

Secure

The secure parameter will make sure cookies are only sent over a secure SSL connection. This will prevent any cookies being sent over http://, thus preventing the stealing of cookies by a “man-in-the-middle” attack.

use_only_cookies

the use_only_cookies parameter will tell your website to use only cookies to store session data. This prevents attacks involving passing session ids in URLs.

Implementation

Really Simple Security will set these parameters in your wp-config.php file. On most WordPress installations this file is writeable and Really Simple Security will apply the changes automatically. If the file is not writeable, the plugin will show you which code to add so you can add it manually. If you choose to deactivate the plugin, the code will also be removed from the wp-config.php file.

Let us know if you have any questions in regards to this article!

Simple and Performant Security.


Easily improve site security with WordPress Hardening, Two-Factor Authentication (2FA), Login Protection, Vulnerability Detection and SSL certificate generation.