Cookie without HttpOnly Flag
Impact: Low
Description
The absence of the HttpOnly flag in cookies allows JavaScript running on the client-side to access them through the Document.cookie API. This presents a security risk as it enables attackers to steal sensitive information such as session tokens or user credentials via Cross-Site Scripting (XSS) attacks. Setting the HttpOnly flag ensures that cookies are only accessible to the server, thereby mitigating the risk of XSS attacks.
Recommendation
To enhance security, always set the HttpOnly flag for cookies, especially for session cookies and other cookies containing sensitive information. This prevents client-side scripts from accessing them and helps mitigate the risk of XSS attacks.
References
- CWE-1004
- CWE-16
- MDN Web Docs: HttpOnly cookie
- OWASP 2021-A5
- OWASP: HttpOnly
- OWASP: Session Management Cheat Sheet
👉 You might also like:
Session Cookie without HttpOnly Flag - Vulnerability
Cookie without SameSite Flag - Vulnerability
Cookie without Secure Flag - Vulnerability
Session Cookie without SameSite Flag - Vulnerability
Last updated on May 13, 2024