Cookies without the HttpOnly flag set are accessible to client-side scripts such as JavaScript running in the same origin. In case of a Cross-Site Scripting (XSS) vulnerability, the cookie can be stolen by a malicious script. If a sensitive cookie does not need to be accessed directly by client-side JS, the HttpOnly flag should be set.

Set the HttpOnly flag to true for authentication cookies to ensure they are not accessible to client-side scripts.

When using ASP.NET Core, CookiePolicyOptions can be used to set a default policy for cookies. When using ASP.NET Web Forms, a default may also be configured in the Web.config file, using the httpOnlyCookies attribute of the the <httpCookies> element.

In the example below, Microsoft.AspNetCore.Http.CookieOptions.HttpOnly is set to true.

In the following example, CookiePolicyOptions are set programmatically to configure defaults.

In the example below, System.Web.HttpCookie.HttpOnly is set to true.

In the example below, the httpOnlyCookies attribute is set to true in the Web.config file.

ASP.Net Core docs: CookieOptions.HttpOnly Property.

MDN: Set-Cookie Header.

Web Forms docs: HttpCookie.HttpOnly Property.

Web Forms docs: httpCookies Element.

PortSwigger: Cookie without HttpOnly flag set