Skip to main

Cookie Flags: HTTPOnly

Purpose

Why use this header at all?

When enabled, the cookie attribute "HTTPOnly" flag ensures the the ccokie is only trasmitted over HTTP or HTTPS (this flag is useful in addition to "Secure" and its use does not negate its efficacy). This largely negates the usefulness of a cross site scripting vulns as the session cookie values cannot be extracted via Javascript's document.cookie property.

Recommendation

Consider the Impact of Compliance section below to see if this recommendation works for you.

Unless your site has a specific requirement to gather session cookies via Javascript (Unlikely), this flag should be enabled. Note that this does not stop the transmission of session values within the browser's sandbox to the same domain, so you can still access the session as needed on AJAX and xml-http requests.

Risk Mitigated

By following this recommendation, what risk is mitigated?

Stops the cookie value from being extracted via Javascript, largely reducing the usefulness of XSS vulnerabilities.

Impact of Compliance

By using this header, you may expect these changes in your site's functionality

If your site uses the document.cookie property, setting this flag will cause those scripts to break. This value may be set per cookie, and is important for session management cookies or those with private information. Simple flags and front end cookies may not need this level of protection.

Next Steps

What you can do to get there

Some servers and programming languages have a configuration file (such as PHP.INI) that will allow you to automatically set this attribute when using the in-built cookie mechanisms. If your developers have implemented their own cookie/session management techniques, they may need to modify their code to comply.

Example

What this header may look like when implemented securely

Set-Cookie: {cookieName}={cookieValue}; HTTPOnly

(This ignores other cookie parameters, such as path, expires, and other recommended headers.)

Read More!

Welcome! The library is new, and has some content to read over -- We'll be adding more soon!