About the HttpOnly flag

In the chapter where the cookie flags were explained, we already made mention of the HttpOnly flag. We said the following:

"To help mitigate cross-site scripting (XSS) attacks, HttpOnly cookies are not accessible to JavaScript (e.g. through the Document.cookie API); they are only sent to the server."

You should now better understand this statement. If a cookie marked as 'HttpOnly', it cannot be stolen by an attacker even if there is an XSS vulnerability. This flag should not be considered as a fix against XSS, rather it is a 'defense-in-depth' measure to limit the impact of XSS. Cookies that are not expected to be accessed by JavaScript should always be given the HttpOnly flag.

PreviousContext sensitive output encoding NextContent Security Policy

Last updated 2 years ago