Symptoms
PCI scanners will report a failure similar to the below:
"A Cookie Vulnerability helps an attacker to gain access to session information stored in cookies. It may also be used as a 'locator' attack that precedes a Cross-Site Scripting (XSS) or Man-In-The-Middle attack. When looking for Cookie Vulnerabilities, an attacker will first observe cookies through various HTTP proxies and check their attributes. The attacker will then try to steal cookies of various users by employing multiple attacks. If successful, he/she may be able to get sensitive information which can be further used in an illegitimate way."
Description
When reviewing a PCI scan, one of the common issues is that the cookies aren't secure in web applications. Applying a few Apache settings and the php.ini will force the webserver to secure cookies at request time.
Solution
1. Utilize the "WHM Apache Include Editor" to edit pre_main_global or edit the file "/etc/apache2/conf.d/includes/pre_main_global.conf" manually via SSH as the root user. Add the below section to the file:
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=300;includeSubDomains; preload"
Header always edit Set-Cookie (.*) "$1;HttpOnly;Secure"
Header always set X-Frame-Options "sameorigin"
Header setifempty Referrer-Policy: same-origin
Header set X-XSS-Protection "1; mode=block"
Header set X-Permitted-Cross-Domain-Policies "none"
Header set Referrer-Policy "no-referrer"
Header set X-Content-Type-Options: nosniff
</IfModule>
Perform a Configtest to validate the configuration: ( This will ensure the Apache configuration reports "OK" before attempting a restart.)
/usr/sbin/apachectl configtest
Then finally restart Apache: ( Assuming Apache configtest reported "OK" proceed to the restart operation. If Apache didn't return "OK" during the configtest, you would need to resolve any issue that occurred before performing a restart. )
/scripts/restartsrv_httpd
2. To apply the PHP settings, this can be performed with "WHM MultiPHPini Editor" or in SSH by directly editing the files at "/opt/cpanel/ea-phpxx/root/etc/php.ini".
Note: Replace xx with the PHP version you are attempting to modify. For example, if you were changing PHP 7.4, you would edit the file "/opt/cpanel/ea-php74/root/etc/php.ini".
In the PHP.ini set the below options:
session.cookie_secure = On
session.cookie_httponly = On
If you use Apache PHP-FPM, be sure to perform a restart after the changes.
/scripts/restartsrv_apache_php_fpm
That's it! Contact your PCI vendor to perform another scan on the site.