18

I'm trying to figure out how to set the HttpOnly attribute for the set-cookie header, specifically for native NodeJS.

Right now, I have this code, but it doesn't work because I can still access the cookies with client side javascript.

response.setHeader('Set-Cookie', ['HttpOnly']);
Improve this question

1 Answer 1

Reset to default
36

To set cookie, you need to specify cookie name and value, which is missing in your code. That's why it does not work. Example code would be:

response.setHeader('Set-Cookie', 'foo=bar; HttpOnly');

If you want to set multiple cookies, some with HttpOnly, some without. The code would be:

response.setHeader('Set-Cookie', ['foo=bar; HttpOnly', 'x=42; HttpOnly', 'y=88']);

According to Node.js HTTP document, there is no global HttpOnly configuration, which makes sense, as normally you may need some cookie client readable.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Oh I see. I misinterpreted the NodeJS documentation, but you cleared it up. Thanks for your help!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.