HttpOnly Not Set


The application uses a cookie that is set without the HttpOnly flag. The HttpOnly flag is a browser-based standard introduced by Microsoft in 2002 that instructs browsers to prevent client-side scripts from accessing cookies. HttpOnly, which is accepted by all modern browsers, was officially defined in RFC 6265, the modern day standard for state management. Without the HttpOnly flag, a cookie may be vulnerable to exposure through cross-site scripting attacks. 

Custom Description


Risk Rating


How To Test

Sample Report Screenshots

Time Saving Tips

Testing Gotchas



Subscribe here in order to gain access to the AppSec Findings Database


Leave a Reply