Is a secure cookie without the HttpOnly flag a problem?

The secure flag ensures that the setting and transmitting of a cookie is only done in a secure manner (i.e. https). If there is an option for http, secure flag should prevent transmission of that cookie. Therefore, a missing secure flag becomes an issue if there is an option to use or fall back to http.

httpOnly ensures that scripting languages (ie. javascript) won't be able to get the cookie value (such as through document.cookie). The only way to get it is through http request and response headers. Therefore, a missing httpOnly coupled with XSS vulnerability is a recipe for stolen session token.

It's best to put httpOnly and secure flag for your session token. Other cookies, it would depend on how sensitive it is and what is it used for.


These two flags mitigate two completely different attack vectors.

  • HttpOnly - mitigates successful Cross-Site Scripting attacks.
  • Secure - mitigates against Man-In-The-Middle attacks.

One without the other means you've only mitigated that particular vector. That is, it depends what threats you are defending against. HttpOnly is still useful even if Secure is not set, because a Man-In-The-Middle also needs to be suitably placed - for example, on the local network. A cross-site scripting attacker could be located anywhere on the internet, so mitigating this in itself is still useful.

As a note, these flags should be "defence-in-depth" measures only. I'd recommend HSTS over the Secure flag, and a tight Content Security Policy with proper output encoding over HttpOnly flags any day, however if your system is already built adding them later can be prohibitive.


HTTPonly cookie flag acts as a security control for session cookies as it prevents client side scripts from accessing the cookie value. This is effective in case an attacker manages to inject malicious scripts in a legitimate HTML page. The HTTPonly flag will prevent the malicious script from accessing the session cookie hence preventing session hijacking.

Note that this flag only reduces the risk to a certain level and if there is a script injection vulnerability present, it can still be exploited in multiple ways as discussed here