Cookies / sessions · Check

Session cookie missing HttpOnly — preventing XSS-driven session theft

If a session cookie is readable by JavaScript, any XSS — yours or a third-party SDK's — can exfiltrate the token. HttpOnly makes the cookie invisible to `document.cookie` and most scripted pivots.

Real-world risk

Any XSS can read the session token from document.cookie and exfiltrate it.

Fix steps (in order)

Add HttpOnly to session cookies so JavaScript cannot read them.
Example: Set-Cookie: sid=…; Path=/; HttpOnly; Secure; SameSite=Lax

Topic explainer

CORS explained: how cross-origin requests actually work →

A practical explainer of CORS — same-origin policy, preflight requests, the headers that matter, and the configurations that quietly break security.

Verify the fix in 30 seconds

Run a Scorifya scan on the affected host after deploy. The same finding id (session_cookie_missing_httponly) clears once the externally-observable signal is in place.

Run a free scan Methodology

Loading…

Cookies and privacy

We use strictly necessary cookies to run the site. With your permission we also load Vercel Web Analytics and Speed Insights to measure traffic and performance in aggregate. See our Cookie Policy and Privacy Policy.

Session cookie missing HttpOnly — preventing XSS-driven session theft · Scorifya