HttpOnly cookie

設定cookie時可以指定為 HttpOnly Cookie, 這個 cookie 無法被 javascript 讀出來 (ex: document.cookie)

The Will Will Web | 設定 Cookie 時可善用 HttpOnly 特性減低網站安全風險(XSS)

Cookie hijacking 是個很常見的 XSS 攻擊手法，大多是利用網站既有的 XSS 漏洞並透過 JavaScript 取得 documnet.cookie 資料，而 documnet.cookie 就包含所有你在該網頁所有可用的 Cookie 資料，但若你的網站程式在設定 Cookie 的時候有特別加上 HttpOnly 屬性，就可以進一步避免該頁的 Cookie 被 JavaScript 存取，也可保護使用者的 Cookie 不會偷走。

[Security] HTTP-only cookies

Vidar wrote an interesting article pointing me to HTTPOnly-cookies. Microsoft created this extension to the cookie standard, to allow servers to issue cookies with a special HttpOnly-flag. This flag makes the cookie inaccessible to javascript in supported browsers (currently only newer versions of IE supports this feature fully).

The set-cookie header looks like this:
Set-Cookie: USER=123; expires=Wednesday, 09-Nov-99 23:12:40 GMT; HttpOnly

HttpOnly - OWASP