---
title: Set HttpOnly On Session Cookies
impact: HIGH
impactDescription: prevents session cookie theft via Cross-Site Scripting (XSS)
tags: cookies, httponly, xss, session, security, kotlin
---

## Set HttpOnly On Session Cookies

Without the `HttpOnly` flag, the `document.cookie` API can be used to access sensitive session cookies from JavaScript. This allows an attacker to steal active sessions using a Cross-Site Scripting (XSS) vulnerability.

**Incorrect (no HttpOnly flag):**

```kotlin
// Ktor
call.response.cookies.append("session", token) // No HttpOnly!

// Spring Boot / Servlet
val cookie = Cookie("session", token)
response.addCookie(cookie) // HttpOnly defaults to false
```

**Correct (HttpOnly set):**

```kotlin
// Ktor
call.response.cookies.append(
    name = "session",
    value = token,
    httpOnly = true,    // Prevents JS access
    secure = true,
    extensions = mapOf("SameSite" to "Strict")
)

// Spring Boot / Servlet
val cookie = Cookie("session", token).apply {
    isHttpOnly = true   // Prevents JS access
    isSecure = true
}
response.addCookie(cookie)

// Spring Boot Application Configuration (application.properties)
// server.servlet.session.cookie.http-only=true
```

**Security Impact:**
Even if your application has an XSS vulnerability, the `HttpOnly` flag prevents the attacker from immediately stealing the session identifier, buying time for detection and defense.

**Tools:** OWASP ZAP, Burp Suite, Browser DevTools (Verify "HttpOnly" column checked)
