Description
The absence of the HttpOnly flag in cookies allows JavaScript running on the client-side to access them through the Document.cookie API. This presents a security risk as it enables attackers to steal sensitive information such as session tokens or user credentials via Cross-Site Scripting (XSS) attacks. Setting the HttpOnly flag ensures that cookies are only accessible to the server, thereby mitigating the risk of XSS attacks.
Recommendation
To enhance security, always set the HttpOnly flag for cookies, especially for session cookies and other cookies containing sensitive information. This prevents client-side scripts from accessing them and helps mitigate the risk of XSS attacks.
References
- OWASP: HttpOnly
- OWASP: Session Management Cheat Sheet
- MDN Web Docs: HttpOnly cookie
- CWE-1004
- CWE-16
- OWASP 2021-A5
Related Issues
- Cookie without SameSite Flag - Vulnerability
- Session Cookie without HttpOnly Flag - Vulnerability
- Content-Security-Policy Header is Missing - Vulnerability
- Cookie Accessible for Subdomains - Vulnerability
- Tags:
- HTTP Headers
- Cookie
- Cross Site Scripting (XSS)
- Application Misconfiguration
Anything's wrong? Let us know Last updated on May 13, 2024