Skip to content

Secure and HttpOnly cookie attributes

Secure and HttpOnly are attributes used in the Set-Cookie HTTP response header to enhance the security of web applications.^[600-developer-tools-security-strict-transport-security.md]

Attributes

  • HttpOnly: When the HttpOnly flag is set, the cookie cannot be accessed via client-side scripts, specifically preventing access through document.cookie.^[600-developer-tools-security-strict-transport-security.md]
  • Secure: This attribute enforces that the cookie is only transmitted over encrypted HTTPS connections.^[600-developer-tools-security-strict-transport-security.md] If a connection is not using HTTPS, the cookie will not be sent, effectively causing it to fail in non-HTTPS environments.^[600-developer-tools-security-strict-transport-security.md]

Implementation Example

In a server-side environment (e.g., Node.js), these attributes are typically configured when setting a cookie response.^[600-developer-tools-security-strict-transport-security.md]

res.cookie('cookie_name', 'jack', {  
    httpOnly: true,  
    secure: true  
});

Security Benefits

  • Mitigation of XSS: The primary defense for these attributes is against Cross-Site Scripting (XSS).^[600-developer-tools-security-strict-transport-security.md] HttpOnly prevents malicious scripts from reading sensitive session tokens.^[600-developer-tools-security-strict-transport-security.md]

Sources

  • [[Strict-Transport-Security]]
  • [[Content-Security-Policy]]

Sources

^[600-developer-tools-security-strict-transport-security.md]