Table of Contents Hide
Bringing your website into compliance with GDPR means securing your cookies. They’re essential for the site’s operation and its functionalities. You’ll apply an actual policy for managing your trackers. And you’ll use HttpOnly and Secure attributes. Let’s talk about it.
What is an HTTP cookie?
When users visit a website, their browser sends a request to the publisher’s server. One or more cookies can then be created and stored in the browser cache to store a state that can be returned during subsequent connections.
The publisher’s server uses the Set-Cookies header in an HTTP response.
The syntax of this header is as follows:
Set-Cookie: <name>=<value>[; <Max-Age>=<age>] [;expires=<date>][; domain=<domain_name>] [; path=<some_path>][; secure][; HttpOnly]
This header contains the name of the cookie, associated with a value, and various metadata.
Typically, a cookie keeps the user identified from one session to another without reconnecting to their account. Of course, cookies can be used for many other things:
- activating features such as a video player or a chat popup with customer support
- displaying personalized advertisements
- sharing articles on social networks…
Why is it necessary to secure your website and cookies?
Securing your website is essential:
- An attacker could target your data collection forms and attack your database to retrieve information;
- A user account can access sensitive data that must remain confidential.
Protecting the personal data of your users, clients, and prospects is a legal obligation in itself. But it is also, above all, a real sign of respect toward your audience. It is, therefore, a significant issue in your GDPR compliance process and website creation.
Because a data breach can have a devastating impact on your audience:
- The disclosure of confidential and sensitive data can create a real shock that will have a substantial effect on the trust of your users and your e-reputation;
- An attacker can resell specific data on the black market, promoting their dissemination in a global context;
- An attacker can also use stolen data to impersonate a user account or extort money.
Let’s take an example to understand.
You have secured your website with HTTPS, including the registration and login forms. But an unsecured cookie is deposited when these pages are loaded. A malicious actor could hijack these cookies to collect personal data associated with the user’s account!
As you can see, website security is a significant issue.
The ultimate checklist to secure your cookies
You will implement a real plan to manage your cookies to optimize the GDPR compliance of your website. This involves ensuring that cookies comply with specific legal requirements, whether they are:
- First-party cookies, i.e., those that the publisher deposits;
- Third-party cookies, i.e., those deposited by commercial partners or solution providers.
What measures should you take?
- Ensure centralized management of tags and cookies. This will often be done by installing a Tag Management System such as Google Tag Manager;
- Clean up, and remove tags from tools you no longer use;
- Verify the information contained or collected by cookies. Do not store sensitive data in them;
- Limit the lifespan of your cookies to 13 months;
- Obtain prior consent before depositing non-essential cookies on the site. This will often be done by installing a Consent Management Platform such as Axeptio.
- Apply the HttpOnly and Secure attributes in the Set-Cookies header.
The HttpOnly directive to prevent cookie usage on the client side
Naturally, you will strive to install a robust security policy to prevent XSS vulnerabilities and minimize their use.
Information security is complicated, but it’s an essential requirement of GDPR compliance, so it must be taken seriously.
- You’ve switched your website to HTTPS, so you might think that cookies are no longer vulnerable to attacks because they’re transmitted over a secure protocol. This is not entirely true.
- Your users may still connect to the website via HTTP. If this is the case, an attacker can do the same and access personal data. To prevent this, you need to enforce the HSTS header so that HTTP connections are redirected to HTTPS.
- You must also control third-party content you integrate into your website, such as iframes, which may still be available over HTTP. Cookies themselves may also be transmitted over HTTP.
The solution? Add the Secure attribute to the Set-Cookies header. This prevents cookies from being communicated over plain HTTP.
- What are the consequences?
- The cookie is secure. If your website is encrypted with HTTPS, it can be deposited typically.
No cookies will be deposited on pages served over HTTP. If your site aggregates mixed content, such as iframes or other elements, over HTTP, be aware that no cookies will be deposited.
Conclusion: Secure your websites with HttpOnly and Secure attributes
Managing a website involves several fundamental issues:
- The website’s information security.
For cookies, it’s the same. You need to install a Consent Management Platform. Axeptio can be a solution for you. It’s a simple, modern, and elegant way to enhance the user experience by integrating a means of controlling privacy.
Need help? Let’s talk about it.
But once you’ve managed cookies and met your transparency and consent requirements, you still need to verify the deposited trackers’ security level.
Doing this will bring your website to state of the art, a true confidence builder for your audience.