HţOnly Flag – Protecting Cookies from XSS

Cross-site scripting (XSS) assaults are sometimes geared toward stealing session cookies. In such an assault, the cookie worth is accessed by a client-side script utilizing JavaScript (doc.cookie). Nevertheless, in on a regular basis use, net functions not often must entry cookies by way of JavaScript. Subsequently, a technique of defending cookies from such theft was devised: a flag that tells the online browser that the cookie can solely be accessed by HTTP – the HttpOnly flag.

The HttpOnly flag shouldn’t be new. It was first applied in Microsoft Web Explorer 6 SP1 in 2002 to guard towards delicate info theft. At present, each main browser helps HttpOnly cookies. Just some area of interest cell browsers might doubtlessly ignore this flag – see the entire listing of supported browsers on the Can I Use website.

How Does HttpOnly Work?

The HttpOnly attribute is an non-obligatory attribute of the Set-Cookie HTTP response header that’s being despatched by the online server together with the online web page to the online browser in an HTTP response. Right here is an instance of setting a session cookie utilizing the Set-Cookie header:

HTTP/2.0 200 OK
Content material-Sort: textual content/html
Set-Cookie: sessionid=QmFieWxvbiA1

The session cookie above shouldn’t be protected and could be stolen in an XSS assault. Nevertheless, if the session cookie is ready as follows, it is protected against being accessed utilizing JavaScript:

Set-Cookie: sessionid=QmFieWxvbiA1; HttpOnly

Methods to Set HttpOnly Server-Aspect?

All fashionable back-end languages and environments help setting the HttpOnly flag. Right here is an instance of how you are able to do this in PHP utilizing the setcookie perform:

setcookie(“sessionid”, “QmFieWxvbiA1”, [‘httponly’ => true]);

The final worth (true) represents setting the HttpOnly attribute.

Different Flags For Safe Cookies

The HttpOnly flag shouldn’t be the one flag that you should utilize to guard your cookies. Listed here are two extra that may be helpful.

The Safe Flag

The Safe flag is used to declare that the cookie might solely be transmitted utilizing a safe connection (SSL/HTTPS). If this cookie is ready, the browser won’t ever ship the cookie if the connection is HTTP. This flag prevents cookie theft by way of man-in-the-middle assaults.

Notice that this flag can solely be set throughout an HTTPS connection. Whether it is set throughout an HTTP connection, the browser ignores it.


Set-Cookie: sessionid=QmFieWxvbiA1; HttpOnly; Safe

Instance of setting the above cookie in PHP:

setcookie(“sessionid”, “QmFieWxvbiA1”, [‘httponly’ => true, ‘secure’ => true]);

The SameSite Flag

The SameSite flag is used to declare when net browsers ought to ship the cookie, relying on how a customer interacts with the location that set the cookie. This flag is used to assist defend towards cross-site request forgery (CSRF) assaults.

The SameSite attribute might have one of many following values:

  • SameSite=Strict: The cookie is barely despatched if you’re at present on the location that the cookie is ready for. If you’re on a special website and also you click on a hyperlink to a website that the cookie is ready for, the cookie shouldn’t be despatched with the primary request.
  • SameSite=Lax: The cookie shouldn’t be despatched for embedded content material however it’s despatched when you click on on a hyperlink to a website that the cookie is ready for. It’s despatched solely with protected request sorts that don’t change state, for instance, GET.
  • SameSite=None: The cookie is shipped even for embedded content material.

Completely different browsers behave in another way by default when the SameSite attribute shouldn’t be set. For instance, in 2019 the Google Chrome browser modified its default habits for SameSite cookies.


Set-Cookie: sessionid=QmFieWxvbiA1; HttpOnly; Safe; SameSite=Strict

Instance of setting the above cookie in PHP:

setcookie(“sessionid”, “QmFieWxvbiA1”, [‘httponly’ => true, ‘secure’ => true, ‘samesite’=>’Strict’]);

Are Cookie Flags Sufficient towards XSS?

Regardless that cookie flags are efficient for a lot of assaults, they can’t be used as a treatment for cross-site scripting. Attackers might devise methods to avoid limitations. For instance, carry out cross-site tracing (CST) assaults, and steal even cookies protected by flags like HttpOnly.

The one efficient technique to defend towards cross-site scripting is to search out such vulnerabilities within the utility and get rid of them on the supply. And the one efficient technique to discover such vulnerabilities is by performing handbook penetration testing and/or utilizing an automatic vulnerability scanner.

HţOnly Flag – Protecting Cookies from XSS

Tomasz Andrzej Nidecki
Technical Content material Author

Tomasz Andrzej Nidecki (also called tonid) is a Technical Content material Author working for Acunetix. A journalist, translator, and technical author with 25 years of IT expertise, Tomasz has been the Managing Editor of the hakin9 IT Safety journal in its early years and used to run a significant technical weblog devoted to e mail safety.

httponly cookie javascript,httponly cookie c#,how to set httponly cookie in iis,how to check httponly cookie in chrome,secure cookie flag,header set set-cookie httponly;secure,how to set secure flag on cookies,how to mark cookie as httponly,cookie not marked as secure asp net,cookie without secure flag set,core function of security model,cookies xss protection,cookie poisoning prevention,xss attack,csrf,cookie without httponly flag set apache,cookie path cwe,cwe-614,missing secure flag from ssl cookie,httponly cookie angular 6,cookie secure flag,jwt local storage vs cookie,cookies vs local storage security,csrf protection,angular local storage,cookie without httponly flag set vulnerability,how to set secure flag on cookies in java,how to set secure flag on cookies in php