Mitigating the Most Common XSS attack using HttpOnly

Using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie (if the browser supports it). To enable http-only session cookies on your website, you'll need to follow some simple setup instructions:

  • Set up a server-side endpoint that uses the UserKit SDK to forward requests from the widget to UserKit servers and sets an HTTP-only cookie on the response
  • Configure the UserKit widget to send requests to your endpoint