If the HttpOnly property is set on a cookie, client-side JavaScript cannot read or set the cookie’s value. This safeguard makes certain client-side attacks, such as cross-site scripting, slightly more difficult to exploit by preventing them from obtaining the cookie’s value via an injected script.
In most cases, there is no compelling reason not to put the HttpOnly setting on all cookies. Set the HttpOnly flag by inserting this attribute within the applicable Set-cookie directive unless you expressly want valid client-side scripts within your application to read or set a cookie’s data.
Apart from basic cookie theft, you should be aware that the limits provided by the HttpOnly flag might possibly be overcome in some cases, and that client-side script injection can offer a variety of more dangerous threats.
ZOFixer.com security scan helps to find this vulnerability in your software and server, you can easily use it by registering on our website and activating the 30-day trial.