HttpOnly Cookie Flag
What is HttpOnly Cookie Flag?
HttpOnly Cookie FlagA cookie attribute that hides the cookie from JavaScript by forbidding access via 'document.cookie', limiting session theft when XSS is exploited.
The 'HttpOnly' attribute on 'Set-Cookie' marks the cookie as inaccessible to client-side scripts. The browser still attaches it to HTTP(S) requests, but neither 'document.cookie' nor any DOM or XHR API can read or modify it. For session and authentication cookies, 'HttpOnly' is essential because it stops the most common post-XSS attack: harvesting the session cookie and replaying it from the attacker's machine. It does not prevent XSS itself, nor CSRF, and should be combined with 'Secure', 'SameSite', short session lifetimes and a strong Content Security Policy. Cookies that must be read by front-end code (e.g., CSRF double-submit tokens) intentionally omit 'HttpOnly'.
● Examples
- 01
'Set-Cookie: SID=abc; HttpOnly; Secure; SameSite=Lax; Path=/'.
- 02
After an XSS, an attacker's payload cannot extract the session cookie because it is HttpOnly.
● Frequently asked questions
What is HttpOnly Cookie Flag?
A cookie attribute that hides the cookie from JavaScript by forbidding access via 'document.cookie', limiting session theft when XSS is exploited. It belongs to the Application Security category of cybersecurity.
What does HttpOnly Cookie Flag mean?
A cookie attribute that hides the cookie from JavaScript by forbidding access via 'document.cookie', limiting session theft when XSS is exploited.
How do you defend against HttpOnly Cookie Flag?
Defences for HttpOnly Cookie Flag typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for HttpOnly Cookie Flag?
Common alternative names include: HttpOnly attribute.