HttpOnly Cookie

A fundamental security control for protecting session cookies from XSS attacks.

What is HttpOnly?

HttpOnly is a security attribute that can be set on a cookie to prevent client-side JavaScript from accessing it. When a cookie is marked with HttpOnly, browsers will block attempts to read it through document.cookie, which makes it significantly harder for attackers to steal session identifiers during an XSS (Cross-Site Scripting) attack.

Why HttpOnly Matters

Prevents JavaScript from reading sensitive cookies
Mitigates session hijacking during XSS attacks
Reduces the impact of client-side vulnerabilities
Recommended by OWASP, NIST, and all major security standards

Example of an HttpOnly Cookie

Set-Cookie: session_id=abc123; HttpOnly; Secure; SameSite=Lax

In this example, the cookie is:

Protected from JavaScript (HttpOnly)
Sent only over HTTPS (Secure)
Restricted against CSRF (SameSite=Lax)

How Attackers Steal Cookies Without HttpOnly

Without HttpOnly, a simple XSS payload like the one above can expose all cookies to an attacker. With HttpOnly enabled, this attempt fails, and the cookie remains protected.