Cookies Not Marked as HttpOnly
Description
The application sets one or more cookies without the HttpOnly flag. The HttpOnly attribute is a security mechanism that prevents client-side scripts (such as JavaScript) from accessing cookie values, limiting cookie access to server-side code only. Without this protection, cookies—particularly session cookies—are vulnerable to theft through cross-site scripting (XSS) attacks.
Remediation
Configure all cookies, especially those containing sensitive data or session information, with the HttpOnly flag. This prevents client-side script access while maintaining normal server-side functionality.
Implementation examples:
PHP:
setcookie('session_id', $value, [
'httponly' => true,
'secure' => true,
'samesite' => 'Strict'
]);Java (Servlet):
Cookie cookie = new Cookie("session_id", value);
cookie.setHttpOnly(true);
cookie.setSecure(true);
response.addCookie(cookie);ASP.NET:
HttpCookie cookie = new HttpCookie("session_id", value);
cookie.HttpOnly = true;
cookie.Secure = true;
Response.Cookies.Add(cookie);Node.js (Express):
res.cookie('session_id', value, {
httpOnly: true,
secure: true,
sameSite: 'strict'
});HTTP Response Header:
Set-Cookie: session_id=value; HttpOnly; Secure; SameSite=Strict
Additionally, enable the Secure flag to ensure cookies are only transmitted over HTTPS connections.