保護DataHogo
Security Encyclopedia/Headers & Infrastructure
mediumCWE-1004A07:2021

Cookies Without HttpOnly Flag

Session or auth cookies accessible to JavaScript via document.cookie, enabling XSS attacks to steal session tokens directly from the browser.

How It Works

Without HttpOnly, any JavaScript running on your page — including injected malicious scripts — can read `document.cookie` and exfiltrate session tokens. HttpOnly tells the browser to send the cookie with HTTP requests but never expose it to JavaScript, so XSS can't steal it even if it executes.

Vulnerable Code
// BAD: auth token readable by JavaScript
res.setHeader('Set-Cookie', `authToken=${token}; Path=/; Secure`);
Secure Code
// GOOD: HttpOnly blocks JS access
res.setHeader(
  'Set-Cookie',
  `authToken=${token}; Path=/; Secure; HttpOnly; SameSite=Lax`
);

Real-World Example

The 2014 eBay breach involved XSS attacks that leveraged access to non-HttpOnly cookies. Once an XSS flaw exists, HttpOnly is the difference between 'a script ran' and 'all user sessions are compromised'.

How to Prevent It

  • Set HttpOnly on all session, auth, and CSRF cookies
  • If your frontend JavaScript genuinely needs a value, use a separate non-sensitive cookie for it
  • Never store auth tokens in localStorage — use HttpOnly cookies instead
  • Audit all Set-Cookie headers in your app with curl -v or browser DevTools

Affected Technologies

nodejsNext.jsPythonPHP

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Missing Content-Security-Policy Header

medium

The Content-Security-Policy (CSP) header is absent, leaving browsers without instructions on which sources of scripts, styles, and resources to trust.

CWE-358A05:2021

Missing X-Frame-Options Header

medium

The X-Frame-Options header is absent, allowing attackers to embed your app in an invisible iframe and trick users into clicking your UI elements (clickjacking).

CWE-1021A05:2021

Missing X-Content-Type-Options Header

low

The X-Content-Type-Options: nosniff header is absent, allowing browsers to guess (sniff) the content type of a response and potentially execute content as script.

CWE-430A05:2021

Missing HTTP Strict Transport Security (HSTS)

medium

The Strict-Transport-Security header is absent, allowing browsers to connect over plain HTTP and enabling downgrade attacks where an attacker intercepts unencrypted traffic.

CWE-319A02:2021