Cookie No HttpOnly Flag

A cookie has been set without the HttpOnly flag, which means that client-side scripts such as JavaScript can read its value. The HttpOnly attribute instructs the browser to restrict cookie access to HTTP(S) requests only, preventing the Document Object Model from exposing the cookie to page-level code. When this flag is absent, any script running in the page context can retrieve the cookie content through the document.cookie API.

If an attacker exploits a cross-site scripting (XSS) flaw on the application, they can inject malicious JavaScript that reads cookies lacking the HttpOnly flag and exfiltrates them to an external server. When the exposed cookie is a session identifier, the attacker can perform session hijacking to impersonate the victim and access protected resources, personal data, or administrative functions. Even non-session cookies may contain sensitive information whose disclosure increases the overall attack surface of the application.

Set the HttpOnly flag on every cookie that does not need to be read by client-side JavaScript. In most web frameworks this is a single configuration change on the cookie or session settings.

For Java Servlet containers, call cookie.setHttpOnly(true) before adding the cookie to the response. In Spring Boot, set server.servlet.session.cookie.http-only=true in the application properties. For ASP.NET, add httpOnlyCookies="true" to the httpCookies element in web.config. In Express / Node.js, pass { httpOnly: true } in the cookie options.

Review your application to confirm that no legitimate client-side code depends on reading the cookie. If a cookie must be accessible to JavaScript, ensure it does not carry session tokens or other security-sensitive values.