问题
I am not able to see SameSite=Strict using builtin developer tools in the “Application” tab.
I have added below Header code in Apache configuration
Header always edit Set-Cookie (.*) "$1;SameSite=Strict"
Header edit Set-Cookie ^(.*)$ $1;SameSite=Strict
Please let me know how to set SameSite=Strict using above settings.
回答1:
For apache2 >= 2.2.4
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=Strict
For apache2 lower than 2.2.4
Header set Set-Cookie HttpOnly;Secure;SameSite=Strict
回答2:
In my local environment (Apache 2.4) after enabling mod_headers I was able to achive this by adding directives like below in my vhost:
<ifmodule mod_headers.c>
Header always edit Set-Cookie (.*) "$1; SameSite=strict"
</ifmodule>
Where is the difference? Why it didn't work for you? Mayby its lack of "space" after semicolon?
<ifmodule mod_headers.c>
# always is similar to "onerrors"
Header always edit Set-Cookie (.*) "$1; SameSite=strict"
# success is similar to http 2xx response code
Header onsuccess edit Set-Cookie (.*) "$1; SameSite=strict"
# remove duplications (apache sends from both tables always and onsuccess)
## https://www.tunetheweb.com/security/http-security-headers/secure-cookies/
#Strip off double SameSite=strict settings as using above you can sometimes get both
Header edit Set-Cookie ^(.*);\s?SameSite=strict;?\s?(.*);\s?SameSite=strict;?\s?(.*)$ "$1; $2; $3; SameSite=strict"
#Strip off double ;; settings
Header edit Set-Cookie ^(.*);\s?;\s?(.*)$ "$1; $2"
</ifmodule>
[apache manual] (https://httpd.apache.org/docs/2.2/de/mod/mod_headers.html)
[stack discusion] (httpd duplicate Access-Control-Allow-Origin with "Header always set")
来源:https://stackoverflow.com/questions/54104573/how-to-set-samesite-cookie-attribute-using-apache-configuration