Version: v1

Cookie Set Without HttpOnly Flag

What is it?

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript.

If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

References

CWE-1004
Testing for Cookies
OWASP API TOP-10 A7

Test case FAQs

When is this test case applicable?

This is applicable for all API endpoints when the Baseline security category is enabled in test plans.

How does it work?

Responses sent by the API server are analyzed for the 'Set-Cookie' header without the 'HttpOnly' flag.

What is the solution?

Ensure that the HttpOnly flag is set for all cookies.

Cookie Set Without HttpOnly Flag

What is it?​

References​

Test case FAQs​

When is this test case applicable?​

How does it work?​

What is the solution?​