HTTP
Cookies
Set-Cookie: <name>=<value>[; <Max-Age>=<age>] [; expires=<date>][; domain=<domain_name>] [; path=<some_path>][; secure][; HttpOnly]
if (max-age AND expiry) {
use max-age
}
Default: cookie is associated with the location of current document (domain as well as path).
Best practices:
Cookie security: manage cookie scope
Secure (Security)
if (HTTPS && cookie_has_Secure_attribute) {
transmit_cookie()
}
if (HTTP && cookie_has_Secure_attribute) {
do_not_transmit_cookie
}
HttpOnly (Security)
A cookie can be set and used over HTTP, but also directly on the web browser via JavaScript.
if (XSS_breach && CSP_did_not_help) {
if (cookie_has_HttpOnly_flag) {
JS_can_not_access_cookie
break;
}
inject_Malicious_JS()
access_Cookie_Value()
}
First-party and third-party
if (cookie.domain == browser_address_bar) => first_party cookie
if (cookie.domain != browser_address_bar) => third_party cookie
SameSite (security)
Spec. SameSite
allows you to declare if your cookie should be restricted to a first-party or same-site context. Preventing Cross Site Request Forgery (CSRF).
Set-Cookie: CookieName=CookieValue; SameSite=Strict;
Set-Cookie: CookieName=CookieValue; SameSite=Lax;
(If the user is on www.web.dev
and requests an image from static.web.dev
then that is a same-site request. your-project.github.com
and my-project.github.com
are separate sites. If the user is on your-project.github.io
and requests an image from my-project.github.io
that's a cross-site request.).
SameSite = Strict
=> the cookies will be sent only in first-party context (only ifcookie.site == browser_url_bar.site
).For example, if you click on a link that points to a Facebook profile page, and if Facebook.com has set its cookie as SameSite=Strict, you cannot continue navigation on Facebook (view the Facebook page) unless you log in to Facebook again. The reason for this is because Facebook`s cookie was not sent by this request.
SameSite = Lax
=> the cookie will be sent along with the GET request initiated by third party website (this request must cause top level navigation).Resources can be loaded by iframe, img tags, and script tags. These requests can also operate as GET requests, but none of them cause TOP LEVEL navigation. Basically, they don't change the URL in your address bar. Because these GET requests do not cause a TOP LEVEL navigation, thus cookies set to Lax won't be sent with them.
Request Type
Example Code
Cookies sent
Link
<a href="..."></a>
Normal, Lax
Perender
<link rel="prerender" href=".."/>
Normal, Lax
Form GET
<form method="GET" action="...">
Normal, Lax
Form POST
<form method="POST" action="...">
Normal
iframe
<iframe src="..."></iframe>
Normal
AJAX
$.get("...")
Normal
Image
<img src="...">
Normal
SameSite = None
=> you intentionally want the cookie sent in a third-party context. When the SameSite=None attribute is present, an additional Secure attribute must be used so cross-site cookies can only be accessed over HTTPS connections. This won’t mitigate all risks associated with cross-site access but it will provide protection against network attacks.
--------------------------------

if (cookie.domain == external_service
&& cookie.domain != address_bar) {
cross-site
}


⚠️Chrome, Since 02.2020: SameSite=Lax
as default. Only cookies SameSite=None; Secure
are available for external access.
Chrome implements these behavior as of version 80. Firefox has them available to test as of Firefox 69 and will make them default behavior in the future. To test these behaviors in Firefox, open
about:config
and setnetwork.cookie.sameSite.laxByDefault
. Edge also plans to change its default behaviors.
How to test
You can test this behaviour as of Chrome 76 by enabling chrome://flags/#cookies-without-same-site-must-be-secure
and from Firefox 69 in about:config
by setting network.cookie.sameSite.noneRequiresSecure
.
HTTPS
HTTP transforms data in plain text.
SSL 3.0 (@Deprecated, Secure Sockets Layer) <-based_on_SSL_3.0- TLS 1.3 (Transport Layer Security)
Goals of HTTPS:
Privacy: encrypting data traffic
Integrity: data received on either side was not altered unknowingly along the way
Authentication: website you are talking to is who they say they are
Symmetric encription
The same key is used for encryption and decryption. This is what home WIFI uses. There is one key (password), which is set into router and laptop.
ENCRYPTION: encryption_algorithm(data, encryption_key) = cipher_text
Asymmetric encryption
Two different keys are used. One to encrypt, second to decrypt. => Public key Cryptography.
Self-signed certificate
Self-signed certificate is a certificate that is not signed by certificate authority (CA).
protocol = https
var certificate
if (certificate.NOT_signed_by_CA()) {
browser_warning = visit_website()
if (bypass_warning) {
possible(() -> man-in-the-middle_attack_with(certificate))
}
} else {
no_warning = visit_website()
}
Digital signature
signed_data = sign_data(private_key)
result = verify_signature(public_key)
if (result is correct) {
certain_that_data_came_from_owner_of_associated_private_key
certain_that_data_was_not_modified_along_the_way
}
TLS

Last updated
Was this helpful?