Vulnerability & Exploit Database

Back to search

Missing HttpOnly Flag From Cookie

Severity CVSS Published Added Modified
5 (AV:N/AC:L/Au:N/C:P/I:N/A:N) May 30, 2011 August 16, 2011 November 04, 2013

Description

HttpOnly is an additional flag included in a Set-Cookie HTTP response header. If supported by the browser, using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie. If a browser that supports HttpOnly detects a cookie containing the HttpOnly flag, and client side script code attempts to read the cookie, the browser returns an empty string as the result. This causes the attack to fail by preventing the malicious (usually XSS) code from sending the data to an attacker's website.

Free Nexpose Download

Discover, prioritize, and remediate security risks today!

 Download now

References

Solution

add-http-only-to-cookie