HttpOnly is an additional flag included in Set-Cookie HTTP response header. Using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie (if the browser supports it).

References

  • https://www.owasp.org/index.php/HttpOnly