# HTTP Only Cookie Analyzer

Category Severity Time To Fix
🛡️ Security ⚠️ Critical 1 minute

Class: Enlightn\Enlightn\Analyzers\Security\HttpOnlyCookieAnalyzer

# Introduction

A cookie with an HttpOnly attribute is inaccessible from Javascript. The http_only configuration option in your config/session.php file determines whether your session cookie should set the HttpOnly attribute.

This analyzer confirms that your session cookie sets the HttpOnly attribute.

If this is not enabled, it may expose your application to cross-site scripting (XSS) attacks. Unless, you have a very specific use case to require session cookies to be accessed from Javascript, it is recommended to enable this option.

Note that the default value of HttpOnly for all cookies is true and the http_only configuration option in your config/session.php only sets this attribute for the session cookie and not for the other cookies in your application.

# How To Fix

Simply set the http_only attribute in your config/session.php file to true:

| HTTP Access Only
| Setting this value to true will prevent JavaScript from accessing the
| value of the cookie and the cookie will only be accessible through
| the HTTP protocol. You are free to modify this option if needed.
'http_only' => true,

# Skip Condition

This analyzer is skipped if your app is stateless (does not use sessions).

# References