This article is a part of our Web Security Knowledge Base (back to index)

Why “Cookie No HttpOnly Flag” can be dangerous

Lack of the HttpOnly flag set on a cookie allows client-side javascript to modify and access the cookie values. Unless there is a good reason for your application to read or set cookie values on the client side, you should add HttpOnly flag to avoid hackers stealing data kept in the cookie by injecting a malicious script.

How to fix “Cookie No HttpOnly Flag”

Make sure that your application always adds HttpOnly whenever it creates a cookie.

How does ScanRepeat report “Cookie No HttpOnly Flag”

ScanRepeat reports the list of urls which contain Set-Cookie response header without HttpOnly flag along with a description of the problem and a possible solution.

Would you like to test your application now against this problem? Sign up for our free trial

Scan Your Web App Now
Scan your application
for 14 days for free

No credit card is required. No commitment.

Sign Up Free