JavaScript Can't Touch This

In this lesson, we'll study how the HttpOnly flag works.

We'll cover the following

As we’ve seen earlier, XSS attacks allow a malicious user to execute arbitrary JavaScript on a page. Considering that you could read the contents of the cookie jar with a simple document.cookie, protecting our cookies from untrusted JavaScript access is a very important aspect of hardening cookies from a security standpoint.

Luckily, the HTTP spec took care of this with the HttpOnly flag. By using this directive we can instruct the browser not to share the cookie with JavaScript. The browser then removes the cookie from the window.cookie variable, making it impossible to access the cookie via JS.


If we look at the example at we can clearly see how this works.

Get hands-on with 1200+ tech skills courses.