🚀 Join our AI Wargame at Black Hat Asia and our Workshop + Wargame at NDC Sydney .

Session Cookie with No HttpOnly Flag

The HttpOnly flag directs compatible browsers to prevent client-side script from accessing cookies. Including the HttpOnly flag in the Set-Cookie HTTP response header helps mitigate the risk associated with Cross-Site Scripting (XSS) where an attacker's script code might attempt to read the contents of a cookie and exfiltrate information obtained. When set, browsers that support the flag will not reveal the contents of the cookie to a third party via client-side script executed via XSS.

Remediation

Add HttpOnly flag to the cookie.

Metadata

  • Severity: informational
  • Slug: session-cookie-with-no-httponly-flag

CWEs

  • 1004: Sensitive Cookie Without 'HttpOnly' Flag

OWASP

  • A05:2021: Security Misconfiguration

Available Labs

Select a language to explore available labs for this vulnerability.

Try it yourself

Find, Hack and Fix Your First Vulnerability

Reading about security bugs is one thing — fixing one is how the skill sticks. Play a free challenge from the wargame, no setup required.