---
title: Set HttpOnly On Session Cookies
impact: HIGH
impactDescription: prevents XSS cookie theft
tags: cookies, session, xss, security, csharp
---

## Set HttpOnly On Session Cookies

HttpOnly cookies cannot be accessed by JavaScript, preventing XSS attacks from stealing sessions.

**Incorrect (HttpOnly=false):**

```csharp
var options = new CookieOptions
{
    HttpOnly = false // Accessible via document.cookie
};
```

**Correct (HttpOnly=true):**

```csharp
var options = new CookieOptions
{
    HttpOnly = true
};
Response.Cookies.Append("session", token, options);
```

**Tools:** Browser DevTools