Apply Secure Cookie to AWS Wordpress Instance

Keywords: WordPress - AWS - How to - Other
Description:
Server Info:
Server Version: Apache/2.4.43 (Unix)
AWS Bitnami Wordpress

Can someone describe in detail to add “Secure Cookie” headers.

I tried one by one adding Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure to the below top of the below files:-

/opt/bitnami/apps/wordpress/conf/httpd-app.conf
/opt/bitnami/apps/wordpress/conf/htaccess.conf
/opt/bitnami/apache2/conf/http.conf

Then running a sudo /opt/bitnami/ctlscript.sh restart apache but nothing works.

Is there a certain section I need to add it to work?

To add been using https://observatory.mozilla.org/ & ticking “Force a rescan instead of returning cached results” to make sure it’s not cached.

Hi @jeremyL2021,

Thanks for using Bitnami. Can you give us more information on which header you are trying to add and where? Is it for WordPress only? Can you check your syntax is ok according to the official docs?

https://httpd.apache.org/docs/current/mod/mod_headers.html

We also have a Support Tool that will gather relevant information for us to analyze your configuration and logs. Could you please execute it on the machine where the stack is running by following the steps described in the guide below?

Please note that you need to paste the code ID that is shown at the end.

Sorry for the confusion I am using https://observatory.mozilla.org/ to check that the secure cookie header has been applied but it didn’t work.

As mentioned I am running a AWS LIghtsail instance & select “Linux/Unix” --> “Apps + OS” --> “WordPress”
Eg.
image

Now with this in mind I am trying to apply the below secure cookie header:-

  • Secure: All cookies must be set with the Secure flag, indicating that they should only be sent over HTTPS
  • HttpOnly: Cookies that don’t require access from JavaScript should be set with the HttpOnly flag

I was attempting to add ``httpOnly & secure headers so I read from different forum & most described adding a line into the .conf or .htaccess files but didn’t give any information about which one I needed to modify

(Article I was reading: https://geekflare.com/httponly-secure-cookie-apache/ + there many articles supporting this method but mentioning different files to edit to apply these settings)

Added line below config files:-
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

Location:
/opt/bitnami/apps/wordpress/conf/httpd-app.conf
/opt/bitnami/apps/wordpress/conf/htaccess.conf
/opt/bitnami/apache2/conf/http.conf

So possibly the best question is which section do I add that line.

Looking at the link you sent me & it seems that my line is correct but possibly I am entering it in the incorrect spot hopefully the information above should clean up any question and hopefully it should be as simple as just pointing me to correct .conf or .htacces file or files to edit/update.

Many Thanks
Jeremy

Actually I think I found a solution on forum site so leave it to me to investigate if this solution works :slight_smile:

Actually didn’t work tried to add it to both sections I tried initially with just header always line & restarting apache and then tried with including <IfModule begin & ending lines.

image

image

Hi @jeremyL2021,

Thanks for the detailed explanation. I think I know what’s the issue you are facing. edit only works if the header already exists (Set-Cookie in your case), but I launched a new WordPress server and the Set-Cookie header was not set by default.

To do a test, I added the next lines in the /opt/bitnami/apache2/conf/httpd.conf file

Header set MyHeader "Hello world!"
Header set Set-Cookie "bitnami"
Header append Set-Cookie HttpOnly;Secure

which is creating two different custom header, and appending the `` value to the Set-Cookie. I added those lines right above the next lines

# The following lines prevent .user.ini PHP settings files from being viewed by Web clients.
<Files ".user.ini">

After that, I restarted Apache and I get the new headers as you can see below

$ curl -LI "http://127.0.0.1/"
HTTP/1.1 200 OK
Date: Fri, 30 Apr 2021 09:01:27 GMT
Server: Apache
X-Powered-By: PHP/7.4.16
Link: <http://127.0.0.1/wp-json/>; rel="https://api.w.org/"
X-Frame-Options: SAMEORIGIN
Vary: Accept-Encoding
MyHeader: Hello world!
Set-Cookie: bitnami, HttpOnly;Secure
Cache-Control: max-age=0, no-cache
Content-Type: text/html; charset=UTF-8

Notice Apache internally appended the two values using a comma and a whitespace. Not sure if you would need to take it into account for the HttpOnly;Secure string or not. According to the official Apache docs, this is the right way of setting a header with multiple values

https://httpd.apache.org/docs/current/mod/mod_headers.html#header

append

The response header is appended to any existing header of the same name. When a new value is merged onto an existing header it is separated from the existing header with a comma. This is the HTTP standard way of giving a header multiple values.

append will also create the header in case it doesn’t exist, so you don’t need the Header set Set-Cookie I think

1 Like

Thank you for your help that worked :slight_smile:

Eg.
image

Hi @jeremyL2021,

Thanks for the info. I’m glad it worked for you! We will close this thread as solved. Please do not hesitate to open a new one with any other questions you may have.