---
title: Use HttpOnly Cookie Flag
impact: MEDIUM
impactDescription: prevents cookie theft via Cross-Site Scripting (XSS)
tags: security, cookies, xss, httponly
---

## Use HttpOnly Cookie Flag

Set the `httponly` flag on session and sensitive cookies to prevent them from being accessed by client-side JavaScript.

**Incorrect (not HttpOnly):**

```ruby
cookies[:token] = { value: "abc", httponly: false }
```

**Correct (HttpOnly enabled):**

```ruby
# Enabled by default for Rails session cookies
cookies[:token] = { value: "abc", httponly: true }
```

**Tools:** Brakeman, Mozilla Observatory
---