Session cookies missing the HttpOnly flag

The HttpOnly flag on a cookie prevents JavaScript running in the browser from reading that cookie's value. It is designed specifically to protect login session cookies. Without it, if an attacker manages to inject malicious JavaScript into your site (an XSS attack), they can steal session cookies and use them to log in as your users — turning a code vulnerability into an account takeover. Set the HttpOnly attribute on all session and authentication cookies. This is a standard option in most web frameworks and server configurations.