What the issue means
A cookie without HttpOnly can be read by client-side JavaScript if an XSS issue exists.
Security fix guide
How to Fix a Missing HttpOnly Cookie Flag
A cookie without HttpOnly can be read by client-side JavaScript if an XSS issue exists.
Run Full Website Security ScanWhy it matters
HttpOnly helps protect session cookies from theft through injected scripts.
How to check it
Inspect Set-Cookie headers and look for HttpOnly on sensitive cookies.
How to fix it
Set HttpOnly on session and authentication cookies that do not need JavaScript access.
Configuration examples
Nginx
Prefer application code; proxy_cookie_flags can add HttpOnly in reverse proxy setups.Apache
Prefer application code; Header edit Set-Cookie can help in some legacy configurations.Vercel / Next.js
cookies().set("session", value, { httpOnly: true, secure: true, sameSite: "lax" });Cloudflare
Use application-level fixes where possible.