Risk Rating \u2013 Medium (Likelihood: Unlikely; Impact: Moderate)
These cookies are accessible by client-side scripts and can be stolen in a cross-site scripting attack. In
the case of a session or user identification cookie, this can lead to account compromise<\/p>\n\n\n\n
![\"\"](\"https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/04\/image-3.png\")
<\/a><\/figure>\n\n\n\nEnable Secure Flag in IIS Pre-Conditions wasn’t working on another site so I used this<\/p>\n\n\n\n The HTTPOnly attribute makes cookies inaccessible to JavaScript. Additionally, the Secure attributeensures that the cookie may only be transmitted over HTTPS. Cookies used by the application didnot […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-6849","post","type-post","status-publish","format-standard","hentry","category-research"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/6849","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/comments?post=6849"}],"version-history":[{"count":2,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/6849\/revisions"}],"predecessor-version":[{"id":6942,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/6849\/revisions\/6942"}],"wp:attachment":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/media?parent=6849"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/categories?post=6849"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/tags?post=6849"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
<\/strong>To enable secure flag in IIS, it is better to use URL Rewrite and add the following to your web.config file<\/p>\n\n\n\n<system.webServer>\n <rewrite>\n <outboundRules>\n <rule name=\"Use only secure cookies\" preCondition=\"Unsecured cookie\">\n <match serverVariable=\"RESPONSE_SET_COOKIE\" pattern=\".*\" negate=\"false\" \/>\n <action type=\"Rewrite\" value=\"{R:0}; secure\" \/>\n <\/rule>\n <preConditions>\n <preCondition name=\"Unsecured cookie\">\n <add input=\"{RESPONSE_SET_COOKIE}\" pattern=\".\" \/>\n <add input=\"{RESPONSE_SET_COOKIE}\" pattern=\"; secure\" negate=\"true\" \/>\n <\/preCondition>\n <\/preConditions>\n <\/outboundRules>\n <\/rewrite>\n<\/system.webServer><\/code><\/pre>\n\n\n\n<rewrite>\n <outboundRules>\n <rule name=\"Add HttpOnly\">\n <match serverVariable=\"RESPONSE_Set_Cookie\" pattern=\".+\" \/>\n <conditions>\n <add input=\"{R:0}\" pattern=\"; HttpOnly\" negate=\"true\" \/>\n <\/conditions>\n <action type=\"Rewrite\" value=\"{R:0}; HttpOnly\" \/>\n <\/rule>\n <rule name=\"Add Secure\">\n <match serverVariable=\"RESPONSE_Set_Cookie\" pattern=\".+\" \/>\n <conditions>\n <add input=\"{R:0}\" pattern=\"; Secure\" negate=\"true\" \/>\n <\/conditions>\n <action type=\"Rewrite\" value=\"{R:0}; Secure\" \/>\n <\/rule>\n <\/outboundRules>\n <\/rewrite><\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"