Setting the HttpOnly attribute on cookies prevents client-side scripts from reading their values, limiting the damage that cross-site scripting (XSS) attacks can cause.

Why is this an issue?

When a cookie is created without the HttpOnly attribute, or with it explicitly set to false, client-side scripts running in the browser can read the cookie’s value. By default, cookies are created with HttpOnly set to false, meaning they are accessible to browser scripts unless the developer explicitly enables this protection. Setting HttpOnly to true instructs the browser to block script access to the cookie, limiting the damage from XSS attacks that attempt to steal session credentials.

What is the potential impact?

Session hijacking and account takeover

The most common target of cookie theft is the session cookie used to authenticate a user. If an attacker can exploit an XSS vulnerability on a page where a session cookie is accessible to scripts, they can steal it and use it to impersonate the authenticated user without needing their credentials. This can lead to unauthorized access to sensitive account data, account takeover, and potential privilege escalation within the application.

How to fix it in cookie-session

Code examples

The following code creates a cookie without enabling the HttpOnly attribute.

Noncompliant code example

let session = cookieSession({
  httpOnly: false,// Noncompliant
});

Compliant solution

let session = cookieSession({
  httpOnly: true,
});

How to fix it in express-session

Code examples

The following code creates a cookie without enabling the HttpOnly attribute.

Noncompliant code example

const express = require('express');
const session = require('express-session');

let app = express();
app.use(session({
  cookie:
  {
    httpOnly: false // Noncompliant
  }
}));

Compliant solution

const express = require('express');
const session = require('express-session');

let app = express();
app.use(session({
  cookie:
  {
    httpOnly: true
  }
}));

How to fix it in cookies

Code examples

The following code creates a cookie without enabling the HttpOnly attribute.

Noncompliant code example

let cookies = new Cookies(req, res, { keys: keys });

cookies.set('LastVisit', new Date().toISOString(), {
  httpOnly: false // Noncompliant
});

Compliant solution

let cookies = new Cookies(req, res, { keys: keys });

cookies.set('LastVisit', new Date().toISOString(), {
  httpOnly: true
});

How to fix it in csurf

Code examples

The following code creates a cookie without enabling the HttpOnly attribute.

Noncompliant code example

const cookieParser = require('cookie-parser');
const csrf = require('csurf');
const express = require('express');

let csrfProtection = csrf({ cookie: { httpOnly: false }}); // Noncompliant

Compliant solution

const cookieParser = require('cookie-parser');
const csrf = require('csurf');
const express = require('express');

let csrfProtection = csrf({ cookie: { httpOnly: true }});

Resources

Documentation

• OWASP HttpOnly
• cookie-session
• express-session
• cookies
• csurf

Standards

• OWASP - Top 10 2021 Category A5 - Security Misconfiguration
• OWASP - Top 10 2017 Category A7 - Cross-Site Scripting (XSS)
• CWE - CWE-1004 - Sensitive Cookie Without 'HttpOnly' Flag
• STIG Viewer - Application Security and Development: V-222575 - The application must set the HTTPOnly flag on session cookies.