Medium severity · Next.js

Cookie missing HttpOnly on Next.js

Your session or auth cookie is missing the `HttpOnly` attribute. Without it, any JavaScript running on your site can read the cookie — including malicious scripts injected via XSS. For session tokens, JWTs, or CSRF tokens, HttpOnly should always be set. The fix is one attribute: `; HttpOnly`. Add it wherever you set cookies.

The fix for Next.js

Next.js

Set httpOnly: true on every session/auth cookie.

cookies().set({
  name: 'session',
  value: token,
  httpOnly: true,
  secure: true,
  sameSite: 'lax',
});

Why it matters

HttpOnly is the defense that assumes XSS will happen. Even if an attacker injects a script, they cannot exfiltrate a cookie marked HttpOnly. CSP plus HttpOnly cookies is the gold standard.

Confirm the fix worked

Scan your Next.js site to confirm this finding is gone.

AI prompt

Apply across your codebase

Paste this into Cursor, Lovable, Bolt, v0, or Claude Code.

Find every place my app sets cookies. For cookies that store session tokens, JWTs, or auth state, add HttpOnly. For cookies that my client-side code needs to read (user preferences, theme), leave HttpOnly off but tell me which ones those are and confirm they do not contain sensitive data.

FAQ

Frequently asked questions

My frontend reads the JWT from the cookie — what do I do?
Stop. Keep the JWT server-side-only. Have your API read the cookie via `cookies()` in route handlers and return just the data the frontend needs. The frontend never needs the raw token.

Related fix guides

Fix these too

Cookie missing Secure flag

Cookies without the Secure flag can be sent over HTTP, leaking session tokens to anyone on the same network. Here is how to set it.

Read more

Cookie missing SameSite

SameSite controls whether cookies are sent on cross-site requests — the main defense against CSRF. Here is how to set it.

Read more

Missing CSP header

A missing Content-Security-Policy header lets attackers inject scripts into your site. Here is what CSP does, why you need it, and how to add it in Next.js, Vercel, and Supabase apps.

Read more

Concepts

Glossary

Cross-Site Scripting

XSS is an attack where malicious JavaScript gets injected into your site and runs in other users' browsers. CSP and input sanitization are the main defenses.

Read more

Free tools

Spot-check this

Cookie audit

Check Secure, HttpOnly, and SameSite flags on every cookie.

Read more