HttpOnly is an extra flag provided in a Set-Cookie HTTP response header, according to the Microsoft Developer Network. When creating a cookie, using the HttpOnly option reduces the danger of client-side script accessing the secured cookie (if the browser supports it).
If the HTTP response header contains the HttpOnly flag (optional), the cookie cannot be retrieved by client-side software (again if the browser supports this flag). As a consequence, even if there is a cross-site scripting (XSS) bug and a user unintentionally clicks on a link that exploits the issue, the browser (mainly Internet Explorer) will not divulge the cookie to a third party.
If a browser does not support HttpOnly and a website attempts to establish a HttpOnly cookie, the browser will disregard the HttpOnly flag, resulting in a standard, script-accessible cookie. As a result, the cookie (usually your session cookie) is susceptible to theft or change by malicious malware.
According to Michael Howard, Senior Security Program Manager in Microsoft’s Secure Windows Initiative division, the bulk of XSS attacks target session cookie stealing. A server can assist avoid this problem by putting the HttpOnly flag on a cookie it sets, indicating that the cookie should not be available to the client.
If a browser that supports HttpOnly detects a cookie with the HttpOnly flag and client-side script code tries to read the cookie, the browser returns an empty string. This prevents the malicious (typically XSS) code from delivering data to the attacker’s website, causing the attack to fail.
ZOFixer.com security scan helps to find this vulnerability in your software and server, you can easily use it by registering on our website and activating the 30-day trial.