Fix guide · high · cookie_missing_httponly

Auth cookie missing HttpOnly flag

Why it matters

JavaScript on your site can read cookies without HttpOnly set. Any XSS — even a small one — exfiltrates the session token. HttpOnly removes that vector.

How to fix it

Add HttpOnly to every auth-shaped cookie. Most auth cookies should have all three: Secure, HttpOnly, SameSite.

The raw header to aim for:

Set-Cookie: session=abc; HttpOnly; Secure; SameSite=Lax; Path=/

Express / Connect:

res.cookie('session', token, {
  httpOnly: true, secure: true, sameSite: 'lax', path: '/',
});

Next.js Route Handlers + Server Actions:

import { cookies } from 'next/headers';
cookies().set('session', token, {
  httpOnly: true, secure: true, sameSite: 'lax', path: '/',
});

Hono (Cloudflare Workers / Deno / Bun):

import { setCookie } from 'hono/cookie';
setCookie(c, 'session', token, {
  httpOnly: true, secure: true, sameSite: 'Lax', path: '/',
});

Fastify:

reply.setCookie('session', token, {
  httpOnly: true, secure: true, sameSite: 'lax', path: '/',
});

Remix / SvelteKit (raw Response):

new Response(body, {
  headers: { 'Set-Cookie': `session=${token}; HttpOnly; Secure; SameSite=Lax; Path=/` },
});

Did vibecheck flag this on your app?

If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.