Cookies Should Be Kept Private — Here's How

1️⃣ The Role of HttpOnly Cookies

When a server sets a cookie, it can mark it as HttpOnly. This makes the cookie inaccessible to JavaScript running in the browser. Instead, the cookie is automatically sent to the server during relevant HTTP requests, making it much harder for attackers to steal it using client-side scripts (like in XSS attacks).

Pro Tip: Always set sensitive cookies (like session tokens) as HttpOnly to protect against JavaScript access.

Cookies

2️⃣ Setting the Cookie Scope: Domain and Path

Cookies can be scoped to specific domains and paths, controlling when they are sent back to the server.

• Domain: Defines which hosts can receive the cookie.
  • If Domain is not set, the cookie is sent only to the origin domain (excluding subdomains).
  • If Domain is set (e.g., .example.com), the cookie is sent to that domain and all its subdomains (e.g., app.example.com).
• Path: The cookie is sent only if the requested URL path begins with the specified value.
  • For example, if Path=/devices is set, the cookie will be sent with requests to:
    • /devices/wg1
    • /devices/http
    • /devices/http/gr2

3️⃣ Understanding the DOM and Cookies

In modern web applications, HTML documents are no longer static. They're dynamic and interactive, thanks to the DOM (Document Object Model).

The DOM is a programmatic interface to HTML documents. JavaScript running in the browser can use the DOM to:

• Access and modify document content
• Interact with elements dynamically
• Read or write cookies using document.cookie

4️⃣ Why Protect Cookies from the DOM?

JavaScript has access to any cookie not marked as HttpOnly. This makes them vulnerable to Cross-Site Scripting (XSS) attacks, where malicious scripts steal session cookies.

Security Tip: Always use HttpOnly for session cookies, and apply secure cookie scope to isolate them as much as possible.

5️⃣ Cookie Scope vs. Same-Origin Policy

It's important to note that cookie scope is less restrictive than the Same-Origin Policy (SOP). Cookies scoped to a domain can be sent across different subdomains, unlike SOP which isolates access more strictly.

🧠 Summary

• HTTP is a stateless protocol — cookies add session state.
• Use HttpOnly to block JavaScript access to sensitive cookies.
• Set appropriate Domain and Path to control when and where cookies are sent.
• Understand the power of the DOM and how it can be exploited if cookies are exposed.

Keep cookies safe — and your users safer.