Audit required: Cookie is accessible through a client-side script CS-A1010

Setting HttpOnly to true means that the cookie cannot be accessed through a client-side script and is limited to the ASP.NET engine. Because cookies can be used to preserve and store critical information that maybe potentially related to the user session, it is always recommended that you limit the scope as and where necessary to prevent any unintended access and cookie-theft. You can however ignore this warning if you're absolutely sure that the cookie does not contain any critical information.

Bad Practice

cookie.HttpOnly = false;

Recommended

cookie.HttpOnly = true;

Reference

• HttpCookie.HttpOnly
• A05:2021 – Security Misconfiguration
• A7:2017-Cross-Site Scripting (XSS)
• CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag