HttpOnly session cookies
Whether you use HTTP or HTTPS, flag your cookies as
which means they are transmitted only over HTTP or HTTPS protocols.
This setting alone already prevents most XSS attacks, since
When a client makes a call to the
In the AM admin UI, go to Configure > Server Defaults > Advanced.
com.sun.identity.cookie.httponlyadvanced server property to
true, and save your changes.
You must make this change in all the AM instances in the site.
Regardless of the value of the
com.sun.identity.cookie.httponlyproperty, AM upgrades cookies to secure cookies (except the
amlbcookiecookie) when requests arrive over a secure channel.
Restart AM or the container where it runs.