3.7 Ensure 'cookies' are set with HttpOnly attribute - Applications

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version


The httpOnlyCookies attribute of the httpCookies node determines if IIS will set the HttpOnly flag on HTTP cookies it sets. The HttpOnly flag indicates to the user agent that the cookie must not be accessible by client-side script (i.e document.cookie). It is recommended that the httpOnlyCookies attribute be set to true.
When cookies are set with the HttpOnly flag, they cannot be accessed by client side scripting running in the user's browser. Preventing client-side scripting from accessing cookie content may reduce the probability of a cross site scripting attack materializing into a successful session hijack.

NOTE: This section requires ASP.NET, but ASPNET45 and .Net Extensibility have not been found.


1. Locate and open the application's web.config file
2. Add the <httpCookies httpOnlyCookies='true' /> tag within <system.web>:
<httpCookies httpOnlyCookies='true' />
Setting the value of the httpOnlyCookies attribute of the httpCookies element to true will add the HttpOnly flag to all the cookies set by the application. All modern versions of browsers recognize HttpOnly attribute; older versions will either treat them as normal cookies or simply ignore them altogether.
Default Value:
By default, ASP.NET 2.0 does not force cookies to httpOnly.

See Also