ASVS Requirement 3.3.4

• Level: 2
• Chapter: V3 Web Frontend Security
• Section: V3.3 Cookie Setup
• Source: 0x12-V3-Web-Frontend-Security.md

Description

Verify that if the value of a cookie is not meant to be accessible to client-side scripts (such as a session token), the cookie must have the 'HttpOnly' attribute set and the same value (e. g. session token) must only be transferred to the client via the 'Set-Cookie' header field.