Not Http-Only Cookie

  • CWE 1004

HttpOnly is an optional flag included in a Set-Cookie HTTP response header. HTTP-only cookies aren't accessible via JavaScript through the document.cookie property, the XMLHttpRequest API, or the Request API to mitigate attacks against Cross-site Scripting (XSS). As a result, even if a Cross-site Scripting (XSS) flaw exists, and a user accidentally accesses a link that exploits this flaw, the browser will not reveal the cookie to a third party.


Consider marking cookies used by the application as HTTPOnly. Javascript code will not be able to read cookies this way.