Slide 25
Slide 25 text
Set-Cookie: session-id=12345; Secure; HttpOnly
Forbids JavaScript from accessing the cookie.
Reduces risks against Cross-Site Scripting (XSS) attacks
→ Basically via a security issue, bad library etc, insecure JavaScript
ends up being executed by your domain, thus accessing its cookies
HttpOnly