Authentication & Identity

HttpOnly

The HttpOnly flag is a cookie attribute that prevents JavaScript from accessing the cookie via document.cookie. This is critical for session cookies because it blocks XSS attacks from stealing them: even if an attacker injects JavaScript, they cannot read HttpOnly cookies. HttpOnly cookies are still sent with HTTP requests, so the server can read them normally. All authentication cookies should have HttpOnly set.

Official documentation

Why it matters for your website

1Directly impacts resistance to account takeover and credential theft
2Required for SOC 2, HIPAA, and PCI-DSS compliance
3Misconfiguration can expose all user accounts to attack

Check your site for HttpOnly issues

Run a free scan to see if your domain has any HttpOnly-related vulnerabilities or misconfigurations.

Related Terms

Session Cookie
SameSite
Secure Flag
XSS

Browse Glossary

View all 85 terms

Free Security Scan

See your SSL, headers, CORS, DNS, and email security score in seconds.