Cookie No HttpOnly Flag

You probably gonna find this issue in your manual browsing and spidering phase of your assessment. But also Nikto and Nessus will report this issue during your scanning phase.

OWASP Zap Output



A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.



Nikto Output

+ Cookie <cookiename> created without the httponly flag

Nessus Output

Web Application Cookies Not Marked HttpOnly
Plugin ID: 85601


The remote web application sets various cookies throughout a user’s unauthenticated and authenticated session. However, one or more of those cookies are not marked ‘HttpOnly’, meaning that a malicious client-side script, such as JavaScript, could read them. The HttpOnly flag is a security mechanism to protect against cross-site scripting attacks, which was proposed by Microsoft and initially implemented in Internet Explorer. All modern browsers now support it.

Note that this plugin detects all general cookies missing the HttpOnly cookie flag, whereas plugin 48432 (Web Application Session Cookies Not Marked HttpOnly) will only detect session cookies from an authenticated session missing the HttpOnly cookie flag.


Each cookie should be carefully reviewed to determine if it contains sensitive data or is relied upon for a security decision.

If possible, add the ‘HttpOnly’ attribute to all session cookies and any cookies containing sensitive data.

In IIS set the following configuration in the web.config

      <httpCookies httpOnlyCookies="true" />


Include the following information in the final report:

  • Name of the Website or WebApplication
  • The name of the cookie
  • A sample request and reponse