June 24, 2017

Testing Secure and HTTPOnly Cookie Flags

A study of HTTPOnly and SECURE cookie flag settings for the top 1000 websites serving HTTPS content

A basic HTTPS request was sent to to the top 1000 websites. The HTTP responses were investigated to observe the usage of HTTPOnlyand SECUREcookie flags. Here is what was found:

Unique Domains Responding: 162
    Domains responding to https://www.<site>: 141
    Domains responding to https://<site>: 88

Total Cookies Gathered: 559
    Cookies from https://www.<site>: 373
    Cookies from https://<site>: 186

HTTPOnly Flag
Total unique count of cookies using secure flag: 26
    Cookies from https://www.<site>: 25
    Cookies from https://<site>:11
    Note: 10 of the 11 sites from https://<site> were duplicated within the https://www.<site> results

Total unique count of cookies using secure flag: 15
    Cookies from https://www.<site>: 15
    Cookies from https://<site>: 0

Session Cookies
Cookies containing the word “session”: 91
    Total unique count of these cookies marked HTTPOnly: 12
    Total unique count of these cookies marked SECURE: 8
    Total unique count of these cookies marked SECURE & HTTPOnly: 1 (https://www.clickbank.com)

Total number of cookies marked HTTPOnly & SECURE : 7
    6 from https://www.paypal.com
    1 from https://www.clickbank.com

Raw data can be found at the following link.


I was surprised to see such low numbers. The top 1000 sites includes the most frequented sites on the web. Since the sites responded to HTTPS requests, I would have hoped that these sites would also be leveraging the additional security benefits of the HTTPOnly and SECURE flags.  It was also interesting to see that of the 91 cookies that could easily be identified as session related cookies, only 1 cookie was marked as both SECURE and HTTPOnly. Clearly these cookies should be rotated after an actual login, but why establish a session at all if you aren’t going to protect it with these basic cookie flags?

Notes on this test:

HTTPOnly and SECURE flags are used as an extra layer of security and are most often used with sites that support logins. It is unclear what number of the sampled sites support logins and thus would be good candidates to implement these additional controls.  Therefore the results should not be construed as a sampling of sites that should be using the HTTPOnly and SECURE flags.

When the HTTPOnly and SECURE flags are used on a website it is likely that they would be used throughout the site. Therefore if any of the sites were to use these flags I would expect them to be used on the page requested for the test. Therefore I believe the presence, or lack thereof, of the HTTPOnly and SECURE flags accurately represents the use of these flags at the tested sites.


Michael Coates
About Michael Coates 2 Articles
Michael Coates has extensive experience in application security, security code review and penetration assessments. He has conducted numerous security assessments for financial, enterprise and cellular customers worldwide. Michael is the creator and leader of the AppSensor project and a contributor to the 2010 OWASP Top 10. As the web security lead at Mozilla Michael protects web applications used by millions of users each day.

Security Blog: http://michael-coates.blogspot.com/
Twitter: @_mwc