undefined | Better HN

0 pointsEGreg10y ago0 comments

HTTPOnly is security theater!!

It is worse than useless because it makes you think you are secure.

XSS attackers are more likely to generate arbitrary requests to secure endpoints as you via JS than they are to send the cookie to themselves at 3AM so they can rush to craft requests.

And httponly does didly squat to prevent that.

Better is to focus entirely on santizing your output properly in the context it is outputted. And use whitelists, never blacklists.

0 comments

3 comments · 2 top-level

davidp10y ago· 1 in thread

    And use whitelists, never blacklists.

Why?

ghayes10y ago

Blacklists are default allow (if unknown, allow). Whitelists are default block. Default block prevents unknown inputs from causing harm.

tptacek10y ago

Hopefully it's clear that I agree with this.

j / k navigate · click thread line to collapse