Authentication cookies stored by a server can be accessed by a client if the httpOnly flag is not set.

An attacker that manages a cross-site scripting (XSS) attack can read the cookie and hijack the session.

Set the httpOnly flag on all cookies that are not needed by the client.

The following example stores an authentication token in a cookie that can be viewed by the client.

To force the cookie to be transmitted using SSL, set the secure attribute on the cookie.

  • ExpressJS: Use cookies securely.
  • OWASP: Set cookie flags appropriately.
  • Mozilla: Set-Cookie.
    •