From 8a39d893b5c1ddeeff6c77fa05e6f2ef356edc8a Mon Sep 17 00:00:00 2001
From: Roland Haeder <roland@mxchange.org>
Date: Thu, 7 Apr 2016 12:58:21 +0200
Subject: [PATCH] added some http-only configuration to avoid common XSS

---
 web/WEB-INF/web.xml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/web/WEB-INF/web.xml b/web/WEB-INF/web.xml
index 288c1c7c..1cc23f32 100644
--- a/web/WEB-INF/web.xml
+++ b/web/WEB-INF/web.xml
@@ -27,8 +27,11 @@
     </servlet-mapping>
     <session-config>
         <session-timeout>
-			30
-		</session-timeout>
+            30
+        </session-timeout>
+        <cookie-config>
+            <http-only>true</http-only>
+        </cookie-config>
     </session-config>
     <welcome-file-list>
         <welcome-file>faces/index.xhtml</welcome-file>
-- 
2.39.5