We can mitigate most common XSS attacks using HttpOnly and Secure flag with our cookie. Without having HttpOnly and Secure flag in the HTTP response header, it is possible to steal or manipulate web application session and cookies.

The steps to enable HttpOnly and Secure flag

Go to : Home > Service Configuration > Apache Configuration > Include Editor > Pre Main Include > All Versions

Add the code: Header edit Set-Cookie ^(.*)$ $1; HttpOnly; Secure

Restart Apache

• apache
• cPanel