Enable HTTP Only Cookie Flag

  • Release version: Australia
  • Updated March 12, 2026
  • 1 minute to read

    • Use the glide.cookies.http_only property to enable the HTTPOnly attribute for sensitive cookies.

    If the glide.cookies.http_only system property is not set to the recommended value of true, then the instance does not require the HTTPOnly attribute for sensitive cookies.

    Ensure that the property glide.cookies.http_only is set to true.

    Warning:
    This is a safe harbor property, meaning the value can't be altered once it's changed. It is non-revertible.

    More information

    Attribute Description
    Configuration name glide.cookies.http_only
    Configuration type System Properties (/sys_properties_list.do)
    Data type Boolean
    Recommended value true
    Default value <none>
    Fallback value true
    Category Session management
    Security risk
    • Severity score: 8.0
    • CVSS rating: High
    • Security risk details: The HTTPOnly attribute is used to prevent attacks, such as cross-site scripting, because it doesn't allow access to the cookie using a client-side script, such as JavaScript.
    Functional impact None
    Dependencies and prerequisites None

    To learn more about adding or creating a system property, see Add a system property.