search

usnistgov / 800-63-3

Home to public development of NIST Special Publication 800-63-3: Digital Authentication Guidelines
https://pages.nist.gov/800-63-3/
Other
703 stars 102 forks source link

Require HttpOnly browser cookies #1937

Open jimfenton opened 5 years ago

jimfenton commented 5 years ago

In 800-63B Section 7.1.1, use of HttpOnly is a SHOULD. Consider making it a SHALL to improve resistance to XSS and similar attacks.

brodygov commented 5 years ago

"SHOULD" seems proportionate to me. Setting HttpOnly in cookies will preclude the use of certain types of cross-origin requests, where tokens are needed in JavaScript.

There are sometimes alternatives using CORS and cross-origin requests with .withCredentials = true, but these can be more complicated to implement without advance planning.

Perhaps there's some language that could convey "should set HttpOnly without a specific good reason not to".

jricher commented 5 years ago

For what it's worth, the normative "SHOULD" translates to "do this unless you have a very good and very specific reason not to do it", so I am in favor of keeping this a SHOULD, but perhaps with better explanation as to WHY.