Vulnerabilities/

Cookie without HttpOnly Flag

Severity:
Low

Description

The absence of the HttpOnly flag in cookies allows JavaScript running on the client-side to access them through the Document.cookie API. This presents a security risk as it enables attackers to steal sensitive information such as session tokens or user credentials via Cross-Site Scripting (XSS) attacks. Setting the HttpOnly flag ensures that cookies are only accessible to the server, thereby mitigating the risk of XSS attacks.

Recommendation

To enhance security, always set the HttpOnly flag for cookies, especially for session cookies and other cookies containing sensitive information. This prevents client-side scripts from accessing them and helps mitigate the risk of XSS attacks.

References

Related Issues

Tags:
HTTP Headers
Cookie
Cross Site Scripting (XSS)
Application Misconfiguration
Anything's wrong? Let us know Last updated on May 13, 2024

Use SmartScanner Free version to test for this issue

Download