Search⌘ K
Home
Courses
Web Application Security for the Everyday Software Engineer

JavaScript Can't Touch This

Understand how the HttpOnly flag enhances web security by preventing JavaScript access to cookies, reducing the risk of XSS attacks and session hijacking. Explore how this flag keeps cookies private between browsers and servers, and learn about mitigating vulnerabilities like Cross-Site Tracing by disabling TRACE requests at the server level.

We'll cover the following...

As we’ve seen earlier, XSS attacks allow a malicious user to execute arbitrary JavaScript on a page. Considering that you could read the contents of the cookie jar with a simple document.cookie, protecting our cookies from untrusted JavaScript access is a very important aspect of hardening cookies from a security standpoint.

Luckily, the HTTP spec took care of this with the HttpOnly ...