HTTP cookies can be created in two ways: either in the HTTP layer, on in the application layer in the DOM using JavaScript. And after they are created, some cookies can be accessed from either layer, depending on the application requirements.

HTTP cookies can be created in a web browser either by the Set-Cookie header in a HTTP response or using JavaScript using the document.cookie property. An example from JavaScript console:

> document.cookie
"cookieconsent_status=dismiss; test_cookie=true"

The same cookie can be set using a HTTP response header:

Set-Cookie: cookieconsent_status=dismiss; test_cookie=true

This gives application developers great flexibility in customizing the application behavior to match user preferences — for example, if an user indicated a preference to see the website in Russian language, the application can set a cookie language=russian which the browser will send in all subsequent requests. Upon receiving the cookie, the application will then display content in appropriate language, always returning what the user has chosen to see. The cookie can be read from either the HTTP session (Cookie request header), which is what most server-side applications would do, or client-side using JavaScript, a mode preferred by most AJAX JavaScript-based applications.

The problem with the latter access method is that some types of cookies are never intended to be accessed outside of the HTTP channel — for example, session cookies often contain authentication tokens which, if exposed by a malicious JavaScript code, can be used to impersonate the user on the target website.

This would require a vulnerability such as Cross-Site Scripting to be present on the website but ability to hide the authentication cookie from JavaScript code significantly reduces impact of such attack. The httpOnly cookie flag does exactly that — it instructs the browser that this particular cookie should be never exposed to the JavaScript layer and only sent

The flag is defined in RFC 6265 and should be set on all authentication-related cookies that are no intended to be accessed by JavaScript. An example:

Set-Cookie: session_cookie=secret_value; httpOnly

Such cookie will be still sent in the Cookie request header, accessible by the server-side web application code, but never exposed to the client-side browser DOM and not accessible from JavaScript.

Most web application security scanners will check if session cookies are set with the httpOnly flag and will raise an alert if it's not. Some broken security scanners will raise this alert for any cookies set by the website which is definitely an overkill and a false positive.