Skip to content

Instantly share code, notes, and snippets.

@gsherman

gsherman/IIS7: rewrite cookies to be httponly

Created January 20, 2011 22:40
Show Gist options
  • Star 4 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save gsherman/788842 to your computer and use it in GitHub Desktop.
Save gsherman/788842 to your computer and use it in GitHub Desktop.
Download ZIP
a rewriting rule that adds "HttpOnly" to any out going "Set-Cookie" headers
Raw
IIS7: rewrite cookies to be httponly
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<!--
Rewrite any outgoing "Set-Cookie" headers to be "HttpOnly"
Requires the IIS7 URL Rewrite Module, available from: http://www.iis.net/download/urlrewrite
-->
<rewrite>
<outboundRules>
<rule name="Add HttpOnly" preCondition="No HttpOnly">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; HttpOnly" />
<conditions>
</conditions>
</rule>
<preConditions>
<preCondition name="No HttpOnly">
<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; HttpOnly" negate="true" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
</system.webServer>
</configuration>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment