== Recommended Secure Coding Practices

* By default the ``++HttpOnly++`` flag should be set to _true_ for most of the cookies and it's mandatory for session / sensitive-security cookies.