HttpOnly
HTTPレスポンスヘッダのSet-Cookieヘッダのオプションフラグ。
XSSの緩和
code:HTTP Response Header
Set-Cookie: <name>=<value>; <Max-Age>=<age>
`; expires=<date>; domain=<domain_name>
; path=<some_path>; secure; HttpOnly
https://owasp.org/www-community/HttpOnly
HttpOnly cookies were first implemented in 2002 by Microsoft Internet Explorer developers for Internet Explorer 6 SP1.
If the HttpOnly flag (optional) is included in the HTTP response header, the cookie cannot be accessed through client side script
If a browser that supports HttpOnly detects a cookie containing the HttpOnly flag, and client side script code attempts to read the cookie, the browser returns an empty string as the result.