Session Cookie with No HttpOnly Flag

The HttpOnly flag directs compatible browsers to prevent client-side script from accessing cookies. Including the HttpOnly flag in the Set-Cookie HTTP response header helps mitigate the risk associated with Cross-Site Scripting (XSS) where an attacker's script code might attempt to read the contents of a cookie and exfiltrate information obtained. When set, browsers that support the flag will not reveal the contents of the cookie to a third party via client-side script executed via XSS.

Remediation

Add HttpOnly flag to the cookie.

Metadata

Severity: informational
Slug: session-cookie-with-no-httponly-flag

CWEs

1004: Sensitive Cookie Without 'HttpOnly' Flag

OWASP

A05:2021: Security Misconfiguration

Available Labs

Open Javascript labs in SecDim Play for this vulnerability.

easy

Cookie.js

JavaScript Easy Signature

Play AppSec WarGames

Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.

For Companies Play Now

Got a comment?

Join our secure coding and AppSec community. A discussion board to share and discuss all aspects of secure programming, AppSec, DevSecOps, fuzzing, cloudsec, AIsec code review, and more.