OWASP Best Practices

note

This guide is to be followed for production deployment. Some configurations might not work in deployment environment.

Make sure the following is added to the web.php file.

'components' => [
  'request' => [
    'csrfCookie' => [
      'httpOnly' => true,
      'secure' => true
    ]
  ],
  'session' => [
    'cookieParams' => [
      'httpOnly' => true,
      'secure' => true
    ]
  ],
  'cookies' => [
    'class' => 'yii\web\Cookie',
    'httpOnly' => true,
    'secure' => true,
    'sameSite' => PHP_VERSION_ID >= 70300 ? yii\web\Cookie::SAME_SITE_LAX : null
  ],
]

Strict mode should be enabled in the php.ini file.

session.use_strict_mode = 1

OWASP Best Practices

Cookie Settings​

Cookie Settings