How to set HttpOnly flag In Node.js ,Express.js application?

Question

Hi I have a project in node.js and I want to set the HttpOnly flag: true for header response.

I have written the following code in app.js but it make no effect in response header .

app.use(session({
 secret: "notagoodsecretnoreallydontusethisone",
 resave: false,
 saveUninitialized: true,
 cookie: {httpOnly: true, secure: true}
}));

So any suggestion for setting HttpOnly Flag in express.js is most welcome.

If you want to set it true, why is your code explicitly setting it to false? — Quentin, Nov 23 '15 at 14:04
Which version of Express and Express Session middleware are you using? — nikc.org, Nov 23 '15 at 14:07
What URL are you using to make the request to your express app? — Quentin, Nov 23 '15 at 14:15
Your question is a bit confusing, are you trying to set the HttpOnly flag for the session cookie, or are you trying to set a custom HTTP header titled httpOnly? — Ash, Nov 23 '15 at 17:04
HttpOnly is something that applies to Cookies. This ensures the cookies cannot be access via JavaScript on the client side. Hope you understand this. When you say "it make no effect in response header", are you referring to the Cookie sent or are you expecting a "httpOnly" header value to be sent back? — Don, Nov 25 '15 at 03:17

score 8 · Accepted Answer · answered Sep 30 '16 at 13:22

8

I think you could try this!

app.use(session({
   cookieName: 'sessionName',
   secret: "notagoodsecretnoreallydontusethisone",
   resave: false,
   saveUninitialized: true,
   httpOnly: true,  // dont let browser javascript access cookie ever
   secure: true, // only use cookie over https
   ephemeral: true // delete this cookie while browser close
}));

answered Sep 30 '16 at 13:22

Wayne Chiu

5,830
2
22
19

i already got my answer chao,httpOnly works on server when we deploy the code. – arjun kori Sep 30 '16 at 13:28
2

This answer is wrong -- that's how you use sessions but does not answer the actual question of how to set the flag -- sessions don't work on lambda for example. – SebastianG Aug 23 '19 at 10:07

score 0 · Answer 2 · answered Jul 27 '22 at 14:37

This example uses cookie-parser library.

Setting a cookie: res.cookie("cookie_name", token, {})

Pass res.cookie() an options object with httpOnly: true,

 const options = {
    expires: duration,
    httpOnly: true,
  };

Final e.g.

res.cookie("cookie_name", token, options)

How to set HttpOnly flag In Node.js ,Express.js application?

2 Answers2

Linked