Cookie without HttpOnly flag set sonarqube

Must-share information (formatted with Markdown):

  • SonarQube 8.9.7
    *** what are you trying to achieve**
    The HttpOnly flag directs compatible browsers to prevent client-side script from accessing
    cookies. When set, browsers that support the flag will not reveal the contents of the cookie
    to a third party via client-side script executed via XSS.

  • what have you tried so far to achieve this
    As of now nothing has been tried but want to know about below
    “how to mark the cookie as HttpOnly. so this will be an extra layer of defense against XSS.”

we were running a security scan on the application

Please guide


Hey there.

I assume you’re referring to the XSRF-TOKEN. This cookie is read by the web application, therefore it cannot be marked as HttpOnly. You can read a discussion about this here.\

If this is referring to another cookie, let us know.


Thank you Colin !

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.