HttpOnlyCookies - Infinite Lexicon - Infinite Lexicon

HttpOnlyCookies

HttpOnly cookies are cookies that include the HttpOnly attribute. When a cookie is marked HttpOnly, the browser is instructed not to expose that cookie to client-side scripts such as JavaScript running in the page. This helps prevent theft or tampering of the cookie via cross-site scripting (XSS) attacks. The cookie will still be sent to the server with each request to the cookie's domain and path.

The attribute is set by the server in the Set-Cookie header, for example: Set-Cookie: sessionId=abc123; HttpOnly;

HttpOnly does not protect against all cookie abuse. It does not prevent cross-site request forgery (CSRF) by

HttpOnly is widely supported in modern browsers. For session cookies, combine HttpOnly with Secure and SameSite

SameSite=Strict;

document.cookie.

vulnerabilities

a

misconfigurations.