include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

For example In C# you can specify the HttpOnly flag for https://docs.microsoft.com/en-us/dotnet/api/system.web.httpcookie?view=netframework-4.8[HttpCookie] object.

----
HttpCookie myCookie = new HttpCookie("Sensitive cookie");
myCookie.HttpOnly = false;  // Sensitive:  this sensitive cookie is created with the httponly flag set to false and so it can be stolen easily in case of XSS vulnerability
----

The https://docs.microsoft.com/en-us/dotnet/api/system.web.httpcookie.httponly?view=netframework-4.8[default value] of ``secure`` flag is false:

----
HttpCookie myCookie = new HttpCookie("Sensitive cookie"); 
// Sensitive: this sensitive cookie is created with the httponly flag not defined (by default set to false)  and so it can be stolen easily in case of XSS vulnerability
----

== Compliant Solution

----
HttpCookie myCookie = new HttpCookie("Sensitive cookie");
myCookie.HttpOnly = true; // Compliant: the sensitive cookie is protected against theft thanks to the HttpOnly property set to true (HttpOnly = true)
----

include::../see.adoc[]