IT Nota

How to Enable Secure HttpOnly Cookies in IIS

Session cookies are often seen as one of the biggest problems for security and privacy with HTTP, yet often times, it’s necessary to utilize it to maintain state in modern web applications. By default, it is insecure and vulnerable to be intercepted by an authorized party.

Cookies typically store session identifiers that may offer full access to an account, therefore if a cookie is intercepted, a session can be hijacked by someone who is not the real user but pretending as that user.

For this reason, it’s very important that we need to set parameters on how the cookies are passed and have it encrypted as they get sent/read between a web server and the browser.

In order to make cookies more secure to use, there are two things we need to pay attention to, they are HttpOnly and Secure flags.

HttpOnly Flag

The first flag we need to set up is HttpOnly flag. By default, when there’s no restriction in place, cookies can be transferred not only by HTTP, but any JavaScript files loaded on a page can also access the cookies. This ability can be dangerous because it makes the page vulnerable to cross-site scripting (XSS) attack.

The only way to restrict this is by setting HttpOnly flag, which means the only way cookies are sent is via HTTP connection, not directly through other means (i.e., JavaScript).

Secure Flag

The second flag we need to pay attention to is Secure flag. This flag highlights the second issue that by default cookies are always sent on both HTTP and HTTPS requests. A malicious attacker who can’t see encrypted traffic with HTTPS connection can easily switch to HTTP connection and access the same cookie because it is not encrypted. Therefore, we need to set the Secure flag to ensure that the cookie in encrypted when it’s created.

Enable HttpOnly Flag in IIS

Edit the web.config file of your web application and add the following:

<system.web>
  ...
  <httpCookies httpOnlyCookies="true" requireSSL="true" />
  ...
</system.web>

Enable Secure Flag in IIS

To enable secure flag in IIS, it is better to use URL Rewrite and add the following to your web.config file:

<system.webServer>
  <rewrite>
    <outboundRules>
      <rule name="Use only secure cookies" preCondition="Unsecured cookie">
        <match serverVariable="RESPONSE_SET_COOKIE" pattern=".*" negate="false" />
        <action type="Rewrite" value="{R:0}; secure" />
      </rule>
      <preConditions>
        <preCondition name="Unsecured cookie">
          <add input="{RESPONSE_SET_COOKIE}" pattern="." />
          <add input="{RESPONSE_SET_COOKIE}" pattern="; secure" negate="true" />
        </preCondition>
      </preConditions>
    </outboundRules>
  </rewrite>
...
</system.webServer>

Check Flags Settings

This example demonstrates an ASP.NET website that has HttpOnly flag set, but not the Secure flag using a professional web scan tool.

Scan result for cookie with missing secure flag

The scanner did not detect secure flag in the HTTP header with the following explanations:

Cookie Missing ‘Secure’ Flag

Description

The session ID does not have the ‘Secure’ attribute set. This attribute prevents cookies from being seen in plaintext. It may be possible for a malicious actor to steal cookie data and perform session theft through man-in-the-middle (MITM) or traffic sniffing attacks. The exploitable condition exists for unencrypted cookies to be passed over the network if a user accesses the site through HTTP instead of HTTPS, or if a link to a resource such as an image file or CSS file within the specified domain uses the HTTP protocol.

Risk

Data may be exposed to unauthorized parties during cookie transmission and increases the risk of session theft via man-in-the-middle (MITM) or traffic sniffing attacks.

Recommendation

Change the default ‘Secure’ attribute from FALSE to TRUE to ensure cookies are sent only via HTTPS. The ‘Secure’ attribute should be set on each cookie to prevent cookies from being observed by malicious actors. Implement the ‘Secure’ attribute when using the Set-Cookie parameter during authenticated sessions.

After applying the recommended configuration mentioned above, the scan result is good as shown below.

Scan result after secure flag is activated for cookie

As you may have noticed, in this particular example, the Session Cookie Missing ‘HttpOnly’ Flag was already fixed.

Checking the header using cURL:

$ curl -I https://www.itnota.com

Before

HTTP/1.1 200 OK
Cache-Control: private, no-store, max-age=0, s-maxage=0
Content-Type: text/html; charset=utf-8
Content-Encoding: gzip
Vary: Accept-Encoding
Server: Microsoft-IIS/8.5
Set-Cookie: ASP.NET_SessionId=o42zbtr1rzzje3wlvwwcnjmv; path=/; HttpOnly
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Frame-Options: SAMEORIGIN
Date: Tue, 10 Jul 2018 20:42:03 GMT
Content-Length: 6722

After

HTTP/1.1 200 OK
Cache-Control: private, no-store, max-age=0, s-maxage=0
Content-Type: text/html; charset=utf-8
Content-Encoding: gzip
Vary: Accept-Encoding
Server: Microsoft-IIS/8.5
Set-Cookie: ASP.NET_SessionId=bhn5qcmggcxdy34g5d4kp3hk; path=/; HttpOnly; secure
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Frame-Options: SAMEORIGIN
Date: Tue, 10 Jul 2018 20:46:38 GMT
Content-Length: 6722

Notice the word secure after the HttpOnly at the end of the line of Set-Cookie HTTP header.

Emphasis

Set-Cookie: ASP.NET_SessionId=bhn5qcmggcxdy34g5d4kp3hk; path=/; HttpOnly; secure

Buy me a coffee?

Buy me a coffee If you find this post helpful and would like to buy me a coffee to support the work here, you’ll have our big thanks!
Support IT Nota: Buy me a Coffee

Download

URL Rewrite

Further Reading

HTTP/2 in Action
The Secure Attribute
The HttpOnly Attribute
httpCookies Element (ASP.NET Settings Schema)
Ensuring secure cookies with URL Rewrite
How to Setup HTTP Strict Transport Security (HSTS) on IIS

How to Create Key Pair Using Kleopatra (GnuPG)

If you need to find a free solution to encrypt file or email, Gpg4win (GNU Privacy Guard for Windows) may be more than enough encryption than what you need. It is a free software and pretty straightforward to install. Before you can use it though, you need to create a key pair first and this may be confusing to beginners. Here are the steps to generate a key pair in GPG4Win Kleopatra:

  1. Launch Kleopatra and click on New Key Pair.

    Kleopatra creating new key pair

  2. Type in your name and email. Although it’s optional it’s important that you fill that in as your email will be used as the identity to verify your signature.

    Click on the Advanced Settings….

    Kleopatra key pair creation wizard

  3. Select ECDSA/EdDSA. For starters you can leave the defaults, then click OK.

  4. There’s a whole range of debates between using RSA vs ECDSA and you can check some of the included links at the bottom of this post. The short version is, use ECDSA when you can, use RSA if you have concern with compatibility.

    Kleopatra key pair creation advanced settings

  5. Click on the Next button, then click-on Create.

    Kleopatra key pair creation review parameters

  6. On the next windows, you’ll be asked to type in a passphrase. Don’t leave this blank. Use a good passphrase by checking the quality bar as your guide. Then click OK.

    Kleopatra set passphrase for key pair creation

  7. When a key pair successfully created, you will see the following window with your Fingerprint. Make sure you Make a Backup Of Your Key Pair before clicking Finish.

    Kleopatra key pair successfully created

Once this process completed, you can export your public key and give it to anyone who needs to send you an encrypted message or file and you’re ready to communicate securely.

Download

Gpg4win

Further Reading

ECDSA: The digital signature algorithm of a better internet
SSH key-type, RSA, DSA, ECDSA. Which to choose?

How to Use cURL HTTP/2 on macOS

cURL is one of most powerful tools for testing HTTP traffic. We typically use cURL to interact with HTTP APIs or test websites.

Although cURL supports HTTP/2, the version that’s installed on macOS Sierra does not. Read Update.

If you try to use the --http2 flag, you’ll receive the following error:

$ curl -I --http2 https://www.itnota.com
curl: (1) Unsupported protocol

Fortunately, we can use another installation from Homebrew alongside the default version. To do so, just type the following command in the Terminal window (assuming you already have Homebrew installed):

$ brew install curl —with-nghttp2

That’s it.

Keep in mind that this installation does not replace the default curl in the system and this can be a good or bad thing for you.

If you want to keep things separately, you’re done as you can always call the 2nd curl by typing its full path:

$ /usr/local/opt/curl/bin/curl -I --http2 https://www.itnota.com

If you check the version of the two in this example:

# Default Version
 $ curl --version
curl 7.51.0 (x86_64-apple-darwin16.0) libcurl/7.51.0 SecureTransport zlib/1.2.8
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz UnixSockets 

# Homebrew Version
 $ /usr/local/opt/curl/bin/curl --version
curl 7.54.0 (x86_64-apple-darwin16.6.0) libcurl/7.54.0 OpenSSL/1.0.2l zlib/1.2.8 nghttp2/1.23.1
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp 
Features: IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy

If you want to set the curl you installed from Homebrew as the default, keep reading.

Set Homebrew cURL as the Default

There are several ways to set the new version as your default curl, but I believe the best and safest way to do it was already suggested at the end of installation process.

Notice that after installing the curl from Homebrew you’ll see a warning and instruction. If you missed it, it will look similar to this:

Homebrew cURL Installation Instructions

[...]

######################################################################## 100.0%
==> ./configure --disable-silent-rules --prefix=/usr/local/Cellar/curl/7.54.0 --with-==> make install==>
 Caveats
This formula is keg-only, which means it was not symlinked into /usr/local,
because macOS already provides this software and installing another version in
parallel can cause all kinds of trouble.

If you need to have this software first in your PATH run:
  echo 'export PATH="/usr/local/opt/curl/bin:$PATH"' >> ~/.bash_profile

For compilers to find this software you may need to set:
    LDFLAGS:  -L/usr/local/opt/curl/lib
    CPPFLAGS: -I/usr/local/opt/curl/include
For pkg-config to find this software you may need to set:
    PKG_CONFIG_PATH: /usr/local/opt/curl/lib/pkgconfig

[...]

Just following the instruction provided, type in the following:

$ echo 'export PATH="/usr/local/opt/curl/bin:$PATH"' >> ~/.bash_profile

You need to restart terminal and this time if you call curl without the full path, it will run the Homebrew version.

If you need to refer back to the default macOS version, just edit your ~/.bash_profile file by typing the following command:

$ sudo nano ~/.bash_profile

Look for this line:

export PATH="/usr/local/opt/curl/bin:$PATH"

and comment it out like so:

# export PATH="/usr/local/opt/curl/bin:$PATH"

And press CTRL-X and Yes to exit and save it.

Now you can test it using —http2 flag:

$ curl -I --http2 https://www.itnota.com

Update

Update on 5/21/2019: There are two updates that render this post obsolete.

First update is that the version of curl installed on macOS now supports HTTP/2.

The second update is that Homebrew has removed the –with-nghttp2 option from curl which makes the instructions not accurate.

You can still follow the instructions above for Homebrew version of curl only if you substitute it with the curl-openssl and its corresponding path instead.

So you can uninstall Homebrew curl by running the following:

$ brew uninstall curl

Then install curl-openssl by running the following:

$ brew install curl-openssl

That’s it. You don’t even need to specify any flag such as --with-nghttp2 on the curl-openssl install. It will just work. You just need to pay attention to the path where the curl is installed. It is

/usr/local/opt/curl-openssl/bin/curl

The latest comparison between the two versions of curl:

# Default Version
 $ curl --version
curl 7.54.0 (x86_64-apple-darwin18.0) libcurl/7.54.0 LibreSSL/2.6.5 zlib/1.2.11 nghttp2/1.24.1
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz HTTP2 UnixSockets HTTPS-proxy 

# Homebrew Version
 $ /usr/local/opt/curl-openssl/bin/curl --version
curl 7.65.0 (x86_64-apple-darwin18.6.0) libcurl/7.65.0 OpenSSL/1.0.2r zlib/1.2.11 brotli/1.0.7 c-ares/1.15.0 libssh2/1.8.2 nghttp2/1.38.0 librtmp/2.3
Release-Date: 2019-05-22
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS brotli GSS-API HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz Metalink NTLM NTLM_WB SPNEGO SSL TLS-SRP UnixSockets

Further Reading

brew install curl –with-nghttp2 errors saying “invalid option: –with-nghttp2”

DuckDuckGo as Default Search Engine in Chrome

If you want to use DuckDuckGo as your default search engine in Google Chrome browser, here are a few steps you need to follow to set that up:

  1. Go to Settings

  2. Under Search heading, select Manage search engines…

    Chrome Settings: Manage search engines...

  3. Under Other search engines box, fill in the form in this order:

    1. DuckDuckGo
    2. duckduckgo
    3. https://duckduckgo.com/?q=%s

    Chrome Settings: Other search engines

  4. Click Done and open Manage search engines… again.

  5. Make the Duckduckgo entry as the default.

    Chrome Settings: Make DuckDuckGo as default

  6. You should see in on Chrome’s omnibox now.

    Chrome Settings: DuckDuckGo default search engine

  7. Click Done.

Now when you type your search keyword on the URL box, the query will be passed to DuckDuckGo search engine. You can use the same step to use other search engines as your default in Chrome, just make sure you type-in the URL with the string parameter(s) correctly.

Free and Paid Stock Photos Sites

Macbook Pro and Coffee

One sure way to enhance your blog is to put images on its pages. However, we can’t just take any pictures on the web and add it to our website due to copyright infringement issue. Fortunately, there are many stock exchange photos sites that we can use to get copyright free images. But if you’re not careful, using stock images can also get expensive especially if your blog generates little or no income.

So here is a list of some websites that offer even free images for commercial use (as long as you follow their terms of use) and a few of reasonably priced premium sites.

Certainly there are more sites than what’s listed here, but the criteria at this time are all sites that are either free or the least expensive (for the paid ones).

If anyone has any suggestions on other free and/or economical paid sites for stock photos, please let us know and we’ll include them here.

Free Stock Photos

FreeDigitalPhotos.net
Their free photos and illustrations are ideal for business, personal and educational use. Every image is free, with an option to buy larger images at reasonable prices.

Morgue File
These images come with free usage right with attribution. However, you are responsible for contacting the photographer to make sure any model or property releases have been obtained.

Pexels
Pexels is a free stock photo and video website and app that helps designers, bloggers, and everyone who is looking for visuals to find great photos and videos that can be downloaded and used for free. If you see a photo or video you like, simply download it for free (no strings attached!).

Pixabay
Over 300,000 high quality photos, illustrations, and vector graphics. All images are free – even for commercial use! No attributions required.

Unsplash
Carefully selected high resolution images can be found on this site. Its collections grow gradually by 10 new photos for every 10 days. Unsplash adopts Creative Commons Zero license which means you have the freedom to copy, modify, distribute and use the photos without permission, whether it’s for a personal blog or for commercial purposes.

Paid Stock Photos

Big Stock Photo
Reasonably priced and the site gives away “Free Image of the Week” for subscribers. You can either buy a pack of credits (which lasts for one year) or a subscription for greater savings.

Deposit Photos
Very reasonably priced for regular blog sites that don’t generate much income.

Dollar Photo Club
New site from Fotolia.com with a membership pricing model. Depending on your use, this might be a very economic alternative as each high-quality image costs only $1. The pricing model is a bit unique in a way that you are charged a membership fee for $99/year which entitled you to download 99 stock photos. This credit doesn’t expire though so the following year, as you’re billed another $99 for 99 downloads plus the remainder of your download credits.

Update: Sad news. Unfortunately, DollarPhotoClub is now closed for new members and instead referring people to join Adobe Stock which has higher cost per image.

Pond5
Very cost-effective stock photos site. They not only have royalty-free photos, but also video, music tracks, sound effects and customizable After Effects projects. It’s worth checking out.

Recent Posts

Tags

.NET .NET Core AdSense ASP.NET Cdonts Dll Classic ASP Code Editor ETL FSharp Genesis Framework Git Google HP Asset Manager HTML5 Hugo IIS Information Security Internet Internet Information Services iOS JAMStack Linux macOS Microsoft Microsoft SQL Server MVC PHP PowerShell Python Simple Mail Transfer Protocol Smtp Server SQL SQL Server SSIS SSMS SSRS Sublime Text Visual Studio Visual Studio Code VPN Windows Windows 8 Windows 10 Windows 2012 Windows Server