An HttpOnly cookie is a browser cookie marked so that client-side scripts cannot read it directly. It matters because session secrets are safer when browser scripts cannot easily access or exfiltrate them.
What is HttpOnly Cookie?
The HttpOnly attribute tells the browser that a cookie should be handled only through HTTP requests and not exposed to JavaScript. It is commonly used to reduce the damage of cross-site scripting attacks against session cookies.
What HttpOnly Cookie Commonly Supports
Common uses include session-cookie hardening, reduction of script-based cookie theft, and safer web authentication handling.
HttpOnly Cookie vs. Script-Readable Cookie
A script-readable cookie can be accessed by JavaScript running in the browser. An HttpOnly cookie is intentionally withheld from client-side script access.
Frequently Asked Questions
Why is HttpOnly useful?
Because it makes it harder for browser-based script compromise to steal session cookies directly.
Does HttpOnly stop XSS?
No. It limits one common impact of XSS, but it does not prevent the underlying script injection problem.
