📌
Software Security
  • README
  • Prerequisites
    • Prerequisites
  • Introduction
    • Cyber security principles
    • Basic web concepts
      • HTTP
      • JavaScript
      • Cookies
      • SQL
      • DOM
      • APIs and the multitier architecture
    • Basic browser security concepts
      • Same-Origin Policy (SOP)
      • Cross-Origin Resource Sharing (CORS)
      • Cookies
      • Tracking
    • Basic security concepts
      • Hashing
  • Access Control: Basics
    • Authentication
      • Passwords
      • Password managers
      • Attacking passwords - online
      • Attacking passwords - offline
    • Authorization
      • Insecure direct object references
    • Session Management
    • CSRF
      • CSRF: why & how it works
      • Protecting against CSRF attacks
    • SSRF
      • SSRF: how it works and how we can protect against it
  • Access Control: Advanced
    • Authentication
      • Federation
      • Alternative authentication mechanisms
      • FIDO2 and WebAuthn
  • Injection attacks
    • Injection attacks
    • SQL Injection
    • Command Injection
    • Cross-site scripting
      • Input validation
      • Context sensitive output encoding
      • About the HttpOnly flag
      • Content Security Policy
    • Subresource integrity
    • Sandboxing
  • HTTPS
    • HTTPS
    • Introduction to cryptography
    • PKI
    • Setting up HTTPS
    • References
  • HTTP Headers for security
    • HTTP Headers
  • Threat Modeling
    • Threat modeling introduction
    • Threat modeling basics
    • Inspiration for threats
  • Bringing it all together
    • A comprehensive overview of controls
Powered by GitBook
On this page

Was this helpful?

  1. Injection attacks
  2. Cross-site scripting

About the HttpOnly flag

PreviousContext sensitive output encodingNextContent Security Policy

Last updated 3 years ago

Was this helpful?

In the chapter where the were explained, we already made mention of the HttpOnly flag. We said the following:

"To help mitigate cross-site scripting (XSS) attacks, HttpOnly cookies are not accessible to JavaScript (e.g. through the Document.cookie API); they are only sent to the server."

You should now better understand this statement. If a cookie marked as 'HttpOnly', it cannot be stolen by an attacker even if there is an XSS vulnerability. This flag should not be considered as a fix against XSS, rather it is a 'defense-in-depth' measure to limit the impact of XSS. Cookies that are not expected to be accessed by JavaScript should always be given the HttpOnly flag.

cookie flags