{"metadata":{"image":[],"title":"","description":""},"api":{"url":"","auth":"required","results":{"codes":[]},"settings":"","params":[]},"next":{"description":"","pages":[]},"title":"Overview - Http-only cookies","type":"basic","slug":"overview-http-only-cookies","excerpt":"Mitigating the Most Common XSS attack using HttpOnly","body":"Using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie (if the browser supports it). To enable http-only session cookies on your website, you'll need to follow some simple setup instructions:\n\n- Set up a server-side endpoint that uses the UserKit SDK to forward requests from the widget to UserKit servers and sets an HTTP-only cookie on the response\n- Configure the UserKit widget to send requests to your endpoint","updates":[],"order":0,"isReference":false,"hidden":false,"sync_unique":"","link_url":"","link_external":false,"_id":"58a350973dfce00f00e37912","user":"555297897e64980d008d3baf","__v":0,"category":{"sync":{"isSync":false,"url":""},"pages":[],"title":"Http-only cookies","slug":"http-only-cookies","order":5,"from_sync":false,"reference":false,"_id":"589e29c72793e937001c15c5","version":"5589ceae9883a40d00c433f6","__v":0,"project":"5589ceae9883a40d00c433f3","createdAt":"2017-02-10T20:59:51.280Z"},"createdAt":"2017-02-14T18:46:47.746Z","project":"5589ceae9883a40d00c433f3","version":{"version":"1.0","version_clean":"1.0.0","codename":"","is_stable":true,"is_beta":true,"is_hidden":false,"is_deprecated":false,"categories":["5589ceaf9883a40d00c433f7","559ab19d2100d117005f1269","57d4a754899ab90e00105e5d","5807813b6d24211900953b99","5819154bf62fee0f00949855","5841d27cae05ac2500ba2680","5846c4ee5d064323007b1774","589e29c72793e937001c15c5","5cf0460e272f2c0014a80d17","5cf047bde14258005d7a374e","5db6fa2c7f86fa004ff2c35b","5e349a6a02520b006458b0ae","5e4c89eafd907100654072f2","5e4d7a1feca7f90018b15b9b","5e4eff0ec3399b005118d83a"],"_id":"5589ceae9883a40d00c433f6","releaseDate":"2015-06-23T21:25:02.865Z","__v":15,"createdAt":"2015-06-23T21:25:02.865Z","project":"5589ceae9883a40d00c433f3"},"githubsync":"","parentDoc":null}

Overview - Http-only cookies

Mitigating the Most Common XSS attack using HttpOnly

Using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie (if the browser supports it). To enable http-only session cookies on your website, you'll need to follow some simple setup instructions: - Set up a server-side endpoint that uses the UserKit SDK to forward requests from the widget to UserKit servers and sets an HTTP-only cookie on the response - Configure the UserKit widget to send requests to your endpoint