Session Cookie without HttpOnly Flag
Impact: Medium
Description
The HttpOnly
cookie flag prevents JavaScript Document.cookie
API from accessing the cookie. When this flag is set, the cookie is only sent to the server. In many cases, cookies are not needed on the client-side. Session cookies are a good example of cookies that don’t need to be available to JavaScript. Using the HttpOnly
flag can help to mitigate Cross-Site-Scripting(XSS) attacks.
Recommendation
Set HttpOnly
flag for the cookie.
References
👉 You might also like:
Cookie without HttpOnly Flag - Vulnerability
Session Cookie without Secure Flag - Vulnerability
Cookie without Secure Flag - Vulnerability
Session Cookie without SameSite Flag - Vulnerability
Last updated on February 15, 2021