1. Home
  2. Docs
  3. Warnings
  4. Hardening
  5. Cookies: HttpOnly

Cookies: HttpOnly

In order to improve the security of your site (and your users), you should enable the HttpOnly flag on all of your cookies. It helps prevent XSS (cross-site scripting attacks) from gaining access to the session cookies via javascript. This is how your cookies should look:

Set-Cookie: COOKIE=VAL; path=/; domain=.domain.com; secure; HttpOnly

Considering the information of the response headers depends on the technology used to power the website, it is common to have this information deliberately ambiguous because each programming language and technology stack has its own way to do this.

For websites powered by PHP you can add the “HttpOnly” flag to the cookies using either the setcookie or setrawcookie built-in functions. You can achieve the same result adding headers manually like this:

// Using the SetCookie built-in PHP function.
setcookie(
    $name,    // Name of the cookie.
    $value,   // Value of the cookie.
    $expire,  // Time the cookie expires in Unix timestamp.
    $path,    // Path on the server in which the cookie will be.
    $domain,  // The domain that the cookie is available to.
    $secure,  // Transmitted only over a secure HTTPS connection.
    $httponly // Make accessible only through the HTTP protocol.
);

// Using the SetRawCookie built-in PHP function.
setrawcookie( [same parameter as setcookie] );

// Modifying the information of the response headers manually.
header( 'Set-Cookie: name=value; HttpOnly' );

These documents explain it in detail:

Multiple Cookies

It is important to mention that most web scanners like Sucuri SiteCheck will display a warning if at least one cookie (in case there are more than one) is missing the “HttpOnly” flag. For instance, this website has two cookies and only one of them is secured:

$ curl --head 'http://example.com/'
  HTTP/1.1 200 OK
  Server: Apache
  Pragma: no-cache
  Date: Wed, 01 Jan 2015 00:00:01 GMT
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
  Set-Cookie: abc_16951=a56f2718; expires=Wed, 31-Dec-2999 23:59:59 GMT; path=/; HttpOnly
  Set-Cookie: PHPSESSID=c543d1b48df7a597947f5556cbe06628; path=/
  Content-Type: text/html; charset=UTF-8
Was this article helpful to you?