Skip to main content
Version: v1

Cookie Set Without HttpOnly Flag

Cookie Set Without HttpOnly Flag

What is it?

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript.

If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.


Test case FAQs

When is this test case applicable?

This is applicable for all API endpoints when the Baseline security category is enabled in test plans.

How does it work?

Responses sent by the API server are analyzed for the 'Set-Cookie' header without the 'HttpOnly' flag.

What is the solution?

Ensure that the HttpOnly flag is set for all cookies.