Protect Against XSS by Enabling HttpOnly for Linux Apache PHP

By | 2012/07/08

HttpOnly is a session cookie flag created to protect against cross site scripting and theft of session cookies. For good security, this should be enabled for PHP running under Apache especially for sites such as WordPress, Drupal, Joomla, and other popular PHP-based web applications. OWASP has some information on HttpOnly.

I’ll show you how to enable HttpOnly for PHP in Linux!

Edit php.ini

For Debian / Ubuntu, edit this file:


For Red Hat / CentOS, edit this file:


Set the following values in php.ini to enable HttpOnly:

session.cookie_httponly = 1

session.use_only_cookies = 1

Restart Apache

After making changes, restart Apache.

Test with cURL

To test if the HttpOnly flag is now being set, use curl tack capital I (That’s I as in igloo) to fetch the HTTP headers:

$ curl -I
HTTP/1.1 200 OK
Date: Mon, 09 Jul 2012 01:28:33 GMT
Server: Apache
Strict-Transport-Security: max-age=43200; includeSubDomains
X-Frame-Options: DENY
Set-Cookie:; path=/
Set-Cookie: PHPSESSID=41p16doq9bu228qeu93r3466r0; path=/; HttpOnly
X-Powered-By: Beer
X-XSS-Protection: 1; mode=block
X-UA-Compatible: IE=edge,chrome=1
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8