NO HTTP ONLY COOKIE

Feature Value
Type Detection / Protection
Risk OWASP A2
Covered by Agent

Let's look further at the authentication cookie and assume that a XSS (cross-site scripting) vulnerability is present in the application, where the attacker can take advantage of it to steal the authentication cookie. Can we somehow prevent this from happening? It turns out that an HttpOnly flag can be used to solve this problem. When an HttpOnly flag is used, JavaScript will not be able to read this authentication cookie in case of XSS exploitation

More information

How to solve it

If possible, activate httpOnly flag on cookie(1) to reduce XSS attacks

Cookie cookie = new Cookie("foo", "bar"); // Create cookie
cookie.setHttpOnly(true);                 // HttpOnly cookie

(1) If your container does not support the Servlet API 3.0 specification, you can achieve the same behaviour by setting the cookie by hand as a response header

response.addHeader("Set-Cookie", "foo=bar; HttpOnly");