HttpOnly Cookies

ON THIS PAGE

What are HttpOnly Cookie Flags?

Most who are unfamiliar with ‘HttpOnly’ cookie flags only discover the term during a security check of their website. If you're completely new to what this cookie flag is (and what it does for your website), CookieScript is here to fill you in with the details.

What Does the HttpOnly Cookie Flag Do?

The HttpOnly cookie flag is often added to cookies that may contain sensitive information about the user. Essentially, this type of flag tells the server to not reveal cookie information contained in embedded scripts. HttpOnly also tells the server that the information contained in the flagged cookies should not be transferred beyond the server. This flag is especially important in protecting secure information that could be compromised during a cross-site request forgery (CSRF) attack or if there is a flaw in the code that causes cross-site scripting (XSS). Both of these instances could lead user data to be leaked to hackers. 

Adding HttpOnly is useful in instances where cookies could be accidentally or intentionally revealed to a third-party, but there are some notable exceptions on when you should not use HttpOnly flags. Read on to see when you should and should not use the HttpOnly flag to secure an HTTP cookie.

In short, the HttpOnly flag makes cookies inaccessible to client-side scripts, like JavaScript. Those cookies can only be edited by a server that processes the request.

 

This is the main reason why CookieScript (which is a JavaScript-based solution) cannot control cookies with the HttpOnly flag. Those cookies should either be assigned to a Strictly Necessary Cookie Category or controlled on the server-side.

When to Use HttpOnly

Let's say your website uses HTTPS (Hypertext Transfer Protocol Secure) exclusively. You will likely want to use “secure” cookie flags in addition to the HttpOnly flag. So long as you are not running javascript to collect site traffic data or analytics, then you can use HttpOnly to provide an extra layer of protection for your website. HttpOnly tags are especially useful on websites that — for one reason or another — have not yet adopted the HTTPS protocol.

In short, you should always err on the side of caution by running HTTPS with both secure and HttpOnly tags, that is, unless you know your javascript requires cookie access to function properly.

When NOT to Use HttpOnly

The HttpOnly flag would seem like a surefire way to secure all cookie information on a website, so why not simply tag every cookie as HttpOnly? Contrary to what seems like a good idea, there are some notable exceptions of when you should not rely on the protection of this HTTP cookie flag — and they all have to do with javascript.

  • Using javascript for analytics. If you are running javascript on your site and the framework relies on cookies to operate, then having an HttpOnly flag in your code can actually break your security and likely cause issues with the javascript.
  • Using javascript for page state. If your website's page state depends on javascript to interpret and modify your cookie values, this site type of site architecture may not work with HttpOnly and could leave the site open to cross-site request forgeries (CSRFs). In cases like this, you should leave out the HttpOnly flag and simply use the secure flag with the HTTPS protocol.
When in doubt, if your website is protected by HTTPS, then the secure flag should take top priority. And, so long as you are not running javascript, HttpOnly can work as an added layer of protection.