--- title: Ensure cookies set the HttpOnly flag description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Static Code Analysis (SAST) > SAST Rules > Ensure cookies set the HttpOnly flag --- # Ensure cookies set the HttpOnly flag {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site). (). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **ID:** `php-security/cookie-http-only` **Language:** PHP **Severity:** Error **Category:** Security **CWE**: [1004](https://cwe.mitre.org/data/definitions/1004.html) ## Description{% #description %} This rule is crucial for preventing cross-site scripting (XSS) attacks. When the HttpOnly flag is set to true, it instructs the browser to prevent client-side scripts from accessing the cookie. This is important because if a malicious script can access the session cookie, it can impersonate the user, potentially leading to a security breach. Non-compliance with this rule can make your application vulnerable to XSS attacks. An attacker can exploit this vulnerability to steal sensitive information, manipulate user data, or even gain control over user accounts. To avoid this, always set the HttpOnly flag to true when setting cookies in your PHP code. This can be done by passing true as the final argument when calling the `setcookie` or `session_set_cookie_params` functions. This ensures that your cookies are not accessible through client-side scripts, thereby increasing the security of your application. ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```php