🍪

HttpOnly Cookie

Web Security

XSS (Cross‑Site Scripting) Cookie Session Cookie Content Security Policy (CSP)

Cookie flag preventing client-side scripts from accessing the cookie; mitigates some XSS cookie theft.

Definition

HttpOnly cookies are not accessible via document.cookie, reducing the impact of XSS on session theft. It does not prevent requests from being sent with the cookie.

In plain English Cookie flag preventing client-side scripts from accessing the cookie; mitigates some XSS cookie theft.

Why this matters

Why it matters: Session cookies are a common target; HttpOnly is a key defense-in-depth control.

Example

Example: Mark session cookies HttpOnly + Secure + SameSite, and still mitigate XSS via CSP and input handling.

HttpOnly Cookie

Definition

Why this matters

Example

Accessibility Settings

Text Size

Theme

Contrast Level

Language & Content

Need help with a term? Open the glossary