Plug the Hole
We are all aware of the importance for securing confidential information in our application, or keeping information out of an attacker’s hands that might be able to be used for malicious intent. But what about the information we don’t know might be used against us? You know, one of those you-don’t-know-what-you-don’t-know, until it’s too late!
Well if we can reduce the data surface that our applications expose, then we would direct reduce the information we are putting into an attacker’s hands. HTTP Cookies is a highly utilized mechanism for hosting application data to maintain state between different parts of our applications. Despite what camp you might fall into as far as what information should or should not be put into cookies, we don’t always have the luxury of knowing ahead of time what information could be crucial. This might be because of the frameworks and third party tools we use and how they utilize cookies or just ignorance of the information being transported. But at the end of the day, the HTTP Cookies that our application uses can be directly tied to being part of our application’s data surface.
Learn why and how to secure your ASP.NET application’s cookies to help reduce the data surface that your application exposes. Though, this is utilizing ASP.NET for demonstration purposes, the resulting security measures with HTTP Cookies are agnostic to the language or framework.