What are HttpOnly Cookie Flags?
Most who are unfamiliar with ‘HttpOnly’ cookie flags only discover the term during a security check of their website. If you're completely new to what this cookie flag is (and what it does for your website), CookieScript is here to fill you in with the details.
What Does the HttpOnly Cookie Flag Do?
The HttpOnly cookie flag is often added to cookies that may contain sensitive information about the user. Essentially, this type of flag tells the server to not reveal cookie information contained in embedded scripts. HttpOnly also tells the server that the information contained in the flagged cookies should not be transferred beyond the server. This flag is especially important in protecting secure information that could be compromised during a cross-site request forgery (CSRF) attack or if there is a flaw in the code that causes cross-site scripting (XSS). Both of these instances could lead user data to be leaked to hackers.
Adding HttpOnly is useful in instances where cookies could be accidentally or intentionally revealed to a third-party, but there are some notable exceptions on when you should not use HttpOnly flags. Read on to see when you should and should not use the HttpOnly flag to secure an HTTP cookie.
When to Use HttpOnly
When NOT to Use HttpOnly