A study of HTTPOnly and SECURE cookie flag settings for the top 1000 websites serving HTTPS content
A basic HTTPS request was sent to to the top 1000 websites. The HTTP responses were investigated to observe the usage of HTTPOnly and SECURE cookie flags. Here is what was found:
Unique Domains Responding: 162
Domains responding to https://www.<site>: 141
Domains responding to https://<site>: 88
Total Cookies Gathered: 559
Cookies from https://www.<site>: 373
Cookies from https://<site>: 186
HTTPOnly Flag
Total unique count of cookies using secure flag: 26
Cookies from https://www.<site>: 25
Cookies from https://<site>:11
Note: 10 of the 11 sites from https://<site> were duplicated within the https://www.<site> results
SECURE Flag
Total unique count of cookies using secure flag: 15
Cookies from https://www.<site>: 15
Cookies from https://<site>: 0
Session Cookies
Cookies containing the word "session": 91
Total unique count of these cookies marked HTTPOnly: 12
Total unique count of these cookies marked SECURE: 8
Total unique count of these cookies marked SECURE & HTTPOnly: 1 (https://www.clickbank.com)
HTTPOnly & SECURE
Total number of cookies marked HTTPOnly & SECURE : 7
6 from https://www.paypal.com
1 from https://www.clickbank.com
Raw data can be found at the following link.
Conclusion:
I was surprised to see such low numbers. The top 1000 sites includes the most frequented sites on the web. Since the sites responded to HTTPS requests, I would have hoped that these sites would also be leveraging the additional security benefits of the HTTPOnly and SECURE flags. It was also interesting to see that of the 91 cookies that could easily be identified as session related cookies, only 1 cookie was marked as both SECURE and HTTPOnly. Clearly these cookies should be rotated after an actual login, but why establish a session at all if you aren't going to protect it with these basic cookie flags?
Notes on this test:
HTTPOnly and SECURE flags are used as an extra layer of security and are most often used with sites that support logins. It is unclear what number of the sampled sites support logins and thus would be good candidates to implement these additional controls. Therefore the results should not be construed as a sampling of sites that should be using the HTTPOnly and SECURE flags.
When the HTTPOnly and SECURE flags are used on a website it is likely that they would be used throughout the site. Therefore if any of the sites were to use these flags I would expect them to be used on the page requested for the test. Therefore I believe the presence, or lack thereof, of the HTTPOnly and SECURE flags accurately represents the use of these flags at the tested sites.
-Michael Coates - @_mwc