Cookie No HttpOnly Flag
- Risk:
Low
- Type:
- Passive
- CWE:
- 1004
- Summary
- A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.
- Solution
- Ensure that the HttpOnly flag is set for all cookies.
- References