Cookie without HttpOnly Flag

Impact: Low


The absence of the HttpOnly flag in cookies allows JavaScript running on the client-side to access them through the Document.cookie API. This presents a security risk as it enables attackers to steal sensitive information such as session tokens or user credentials via Cross-Site Scripting (XSS) attacks. Setting the HttpOnly flag ensures that cookies are only accessible to the server, thereby mitigating the risk of XSS attacks.


To enhance security, always set the HttpOnly flag for cookies, especially for session cookies and other cookies containing sensitive information. This prevents client-side scripts from accessing them and helps mitigate the risk of XSS attacks.


Last updated on May 13, 2024

Use SmartScanner Free version to test for this issue