← Lessons

quiz vs the machine

Silver1100

Security

HttpOnly And Secure Cookie Flags

Two simple cookie flags that block script theft and plaintext transmission of sessions.

4 min read · intro · beat Silver to climb

Cookies Hold Sensitive Sessions

Session cookies often represent a logged in user. If an attacker reads one, they can impersonate that user. Two flags directly harden how cookies behave.

HttpOnly

The HttpOnly flag tells the browser to hide the cookie from JavaScript. The cookie still travels on requests, but document cookie cannot read it.

  • This blocks cross site scripting from stealing the session cookie.
  • It does not fix the XSS itself, but it removes one common payoff.

Secure

The Secure flag tells the browser to send the cookie only over HTTPS.

  • It prevents the cookie from leaking over plaintext HTTP.
  • It defends against network attackers sniffing or downgrading the connection.

Use Them Together

  • Set session cookies as HttpOnly and Secure, plus a SameSite value.
  • These flags are cheap, default to them on anything authentication related.

Key idea

HttpOnly keeps cookies out of reach of scripts and Secure keeps them off plaintext connections, so always set both on session cookies.

Check yourself

Answer to earn rating on the learn ladder.

1. What does the HttpOnly flag prevent?

2. What does the Secure flag ensure?