Home

httpOnly

HttpOnly is a flag that can be set on HTTP cookies to limit access to the cookie from client-side code. When a cookie is marked HttpOnly, it is not accessible through JavaScript (for example via document.cookie) and is sent to the server only with HTTP requests. This helps prevent a stolen session cookie via cross-site scripting (XSS) exploits.

Usage: the server includes the HttpOnly attribute in the Set-Cookie header, for example: Set-Cookie: sessionId=abc123; Path=/;

Limitations: HttpOnly prevents access by JavaScript, but cookies can still be sent to the server in legitimate

Adoption and best practices: Use HttpOnly for session cookies, and combine with Secure (only over HTTPS) and

HttpOnly;
Secure.
Modern
browsers
store
such
cookies
and
will
not
expose
them
to
scripts,
while
they
remain
sent
with
relevant
requests
to
the
origin.
requests
and
be
exposed
via
other
attack
vectors
such
as
insecure
networks
if
not
using
HTTPS,
malware,
or
compromised
browsers/extensions.
It
also
does
not
protect
against
server-side
breaches
or
against
Cross-Site
Request
Forgery
without
additional
protections
such
as
SameSite
and
anti-CSRF
tokens.
SameSite
(Lax
or
Strict).
Regularly
review
cookie
scopes
(Domain,
Path)
and
implement
input
validation
and
CSP
to
reduce
XSS
risk.
HttpOnly
is
a
defense-in-depth
measure,
not
a
complete
solution.