The HttpOnly flag ensures your web application cookie cannot be accessed by client side scripting running in the user’s browser.

Preventing client-side scripting from accessing cookie content may reduce the probability of a cross site scripting attack materializing into a successful session hijack.

---

1 – Verify mod_headers.so is enabled in your httpd.conf.

2 – Add the below directive to the httpd.conf.

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

3 – Restart Apache Server

---