Improving Cookie Security

Defending your browser from CSRF attacks

To defend your browser from cross-site request forgery (CSRF) attacks , you can add a cookie same-site setting to FileCloud.

The cookie same-site value can be set to the following, as stated in the MDN Web Docs site at

  • Lax - Cookies are not sent on normal cross-site subrequests (for example to load images or frames into a third party site), but are sent when a user is navigating to the origin site (i.e., when following a link).
  • Strict - Cookies will only be sent in a first-party context and not be sent along with requests initiated by third-party websites.
  • None - Cookies will be sent in all contexts, i.e. in responses to both first-party and cross-origin requests. If SameSite=None is set, the cookie Secure attribute must also be set (or the cookie will be blocked).
    To set the Secure attribute, see Adding httponly and secure flags, below.

For more information, see

To specify a cookie same-site value:

  1. Open cloudconfig.php:
    Windows Location: XAMPP DIRECTORY/htdocs/config/cloudconfig.php
    Linux Location: /var/www/config/cloudconfig.php
    • To set the cookie same-site setting to strict, add:

      define("TONIDOCLOUD_COOKIE_SAME_SITE_TYPE", "Strict");
    • To set the cookie same-site setting to lax (the default), add:

    • To set the cookie same-site setting to none, add:


Adding httponly and secure flags

You can take additional steps to make your cookies secure from external attacks by adding httponly and secure flags when sending cookies through HTTP headers.

What do httponly and secure flags do?

  • A cookie can be accessed through http or through client-side Javascript. An httponly flag blocks access to a cookie from the client side (Javascript) by only allowing it to be accessed by http.
  • Most sites are accessed by https, but some sites may also be accessed by http or some of their components may be sent through http. This leaves cookies vulnerable to being accessed over http. A secure flag prevents them from being accessed through http by only allowing them to be transmitted over https. 

To configure FileCloud to always use the httponly and secure flags in HTTP headers:

  1. Open cloudconfig.php.
    • Windows Location : C:\xampp\htdocs\config\cloudconfig.php
    • Linux Location : /var/www/html/config/cloudconfig.php
  2. Add the following: