Cookie No HttpOnly Flag

Risk:
Low

Type:
Passive

CWE:
CWE-1004

Summary: A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

Solution: Ensure that the HttpOnly flag is set for all cookies.

References: https://owasp.org/www-community/HttpOnly

Free security scan for your website

Don't show website scan report rating on the leaderboard