← Back to glossary

🍪

HttpOnly Cookie

Web Security

XSS (Cross‑Site Scripting) Cookie Session Cookie Content Security Policy (CSP)

A cookie setting that blocks JavaScript from reading the cookie.

Definition

HttpOnly is a cookie setting that prevents JavaScript on the page from reading the cookie.

In plain English A cookie setting that blocks JavaScript from reading the cookie.

Why this matters

Why it matters: It helps reduce cookie theft during XSS attacks.

Example

Example: A session cookie is marked HttpOnly so scripts can’t read it.