STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Application Security and Development Security Technical Implementation Guide

V-222575

CAT II (Medium)

The application must set the HTTPOnly flag on session cookies.

Rule ID

SV-222575r1043178_rule

STIG

Application Security and Development Security Technical Implementation Guide

Version

V6R4

CCIs

CCI-001184

Discussion

HTTPOnly is a flag included in a Set-Cookie HTTP response header. If the HTTPOnly flag is included in the HTTP response header, the cookie cannot be accessed through client side scripts like JavaScript. If the HTTPOnly flag is set, even if a cross-site scripting (XSS) flaw in the application exists, and a user accidentally accesses a link that exploits this flaw, the browser will not reveal the cookie to a third party. The HTTPOnly setting is browser dependent however most popular browsers support the feature. If a browser does not support HTTPOnly and a website attempts to set an HTTPOnly cookie, the HTTPOnly flag will be ignored by the browser, thus creating a traditional, script accessible cookie. As a result, the cookie (typically the session cookie) becomes vulnerable to theft or modification by a malicious script running on the client system.

Check Content

Review the application documentation and interview the application administrator to identify when session cookies are created.

Identify any mitigating controls the application developer may have implemented. Examples include utilizing a separate Web Application Firewall that is configured to provide this capability or configuring the web server with Mod_Security or ESAPI WAF with the HTTPOnly flag directives enabled.

Reference the most recent vulnerability scan documentation.

Verify the configuration settings for the scan include web application checks including HTTPOnly tests.

Review the scan results and determine if vulnerabilities related to HTTPOnly flag not being set for session cookies have been identified.

Utilize a web browser or other web application diagnostic tool to view the session cookies the application sets on the client.

Internet Explorer versions 8, 9, and 10 includes a utility called Developer tools.

Access the application website and establish an application session.

Access the page that sets the session cookie.

Press “F12” to open Developer Tools.

Select "cache" and then "view cookie information".

Identify the session cookies. An example of an HTTPOnly session cookie is as follows:

Set-Cookie: SessionId=z5ymkk45aworjo2l31tlhqqv; path=/; HttpOnly

If the application does not set the HTTPOnly flag on session cookies or if the application administrator cannot demonstrate mitigating controls, this is a finding.

Fix Text

Configure the application to set the HTTPOnly flag on session cookies.