What is the HttpOnly cookie flag?

It blocks JavaScript from reading the cookie, stopping XSS-based session theft. Set it like Set-Cookie: sessionid=abc; HttpOnly.

How do I check for missing HttpOnly on my site?

DevTools > Application > Cookies. No HttpOnly

Yes—Microsoft, Google subs vulnerable before. Dangling CNAME to unused Heroku/AWS

🔒 Security & Privacy

Your login session just got stolen because a developer skipped one flag. HttpOnly isn't optional; it's the firewall between your data and disaster.

theAIcatchup Apr 09, 2026 3 min read

Missing HttpOnly flag turns XSS into full account takeover — fix is one attribute. 𝕏
DNS TXT/CNAME/PTR records expose email spoofs and subdomain risks daily. 𝕏
Python loops form the core of tools like Nmap; beginners code scanners in days. 𝕏

Published by

Community-driven. Code-first.

#DNS security #HttpOnly flag #XSS vulnerability #session hijacking #subdomain takeover

Get the best Open Source stories of the week in your inbox — no noise, no spam.

Originally reported by Dev.to