Tweet

HttpOnly Cookie Protection

HttpOnly cookies are not accessible from Http client,now the modern web browser is supporting HttpOnly flag, and it help in the following

  • HttpOnly restricts all access to document.cookie
  • HttpOnly can prevent in XSS attack

curl -v -I  http://curl -I -v http://zariga.com/HTTPOnly

and the curl Output
* Connected to zariga (::1) port 80 (#0)
> HEAD /HTTPOnly HTTP/1.1
> Host: localhost:8090
> User-Agent: curl/7.43.0
> Accept: */*
> 
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< SET-COOKIE: Vulnerable-Web-Application=https://goo.gl/3Bn35z;expires=Thu, 04-Feb-2016 18:18:08 
< Set-Cookie: JSESSIONID=BF8801B19B228ADDE035A103350FA7F9; Path=/; HttpOnly
< Content-Type: text/html;charset=UTF-8
< Content-Length: 9159
< Date: Thu, 04 Feb 2016 18:13:08 GMT
Date: Thu, 04 Feb 2016 18:13:08 GMT