Home/ Glossary/ HttpOnly Cookie Flag

HttpOnly Cookie Flag (HttpOnly Flag)

Security Glossary - Web Security

Definition: The HttpOnly flag on a cookie prevents JavaScript from accessing the cookie through document.cookie. This means that even if an XSS vulnerability allows an attacker to execute JavaScript on your page, they cannot steal HttpOnly cookies. The cookie is still sent automatically with HTTP requests, so server-side session validation works normally.

Why HttpOnly Flag Matters

XSS attacks frequently target session cookies because stealing a session cookie gives the attacker full access to the victim's account. Without HttpOnly, a single XSS vulnerability allows attackers to exfiltrate all cookies using document.cookie and send them to their server.

With HttpOnly, even a successful XSS attack cannot directly steal the session cookie. The attacker can still make requests to your API using the victim's browser (since cookies are sent automatically), but they cannot exfiltrate the cookie to use from their own machine. This limits the attack's duration to the browser session.

HttpOnly should be set on all session cookies and authentication tokens. Cookies that need to be read by JavaScript (like CSRF tokens stored in cookies or UI preference cookies) cannot use HttpOnly, but these should not contain sensitive session data.

Checking Your Setup

A security audit checks the HttpOnly flag on all cookies. Session cookies and authentication tokens must have HttpOnly set. CSRF tokens stored in cookies may need to omit HttpOnly if your JavaScript needs to read them, but consider alternative CSRF token delivery methods.

Run a Security Audit

Frequently Asked Questions

Can XSS attacks still be dangerous with HttpOnly cookies?
Yes. While the attacker cannot steal the cookie directly, they can still make API requests from the victim's browser (the cookie is sent automatically). They can read page content, perform actions as the user, and capture keystrokes. HttpOnly limits but does not eliminate XSS impact.
Should CSRF tokens have HttpOnly?
It depends on your implementation. If your frontend reads the CSRF token from a cookie using JavaScript, HttpOnly must be omitted for that specific cookie. Consider delivering CSRF tokens in HTML meta tags or response headers instead, allowing the token cookie to be HttpOnly.

Related Terms

Cookie Security Flags Secure Cookie Flag SameSite Cookie Attribute Cross-Site Scripting Cross-Site Request Forgery
Disclaimer: DomainOptic provides automated informational scans only. Results do not constitute professional security advice, compliance certification, or a guarantee of security. Always verify findings independently.