Cookies set without the httponly flag can be read by a client-side script, leading to cookie theft from Cross-Site Scripting (XSS) attacks. When a cookie is created, the default value of httponly is False. It is recommended to explicitly set httponly to True to prevent the risk.

Cross-Site Scripting (XSS) attacks target the theft of session-cookies. If httponly attribute is set to True, it won't be possible to exploit the XSS vulnerability to steal session-cookies.

Bad practice

# The cookie is not secure here:
some_response.set_cookie('sensitive', 'some_value')

Recommended

# The cookie is secure here:
some_response.set_cookie('sensitive', 'some_value', httponly=True)

References:

• Security considerations laid down in the Flask Documentation.
• OWASP Top 10 2021 Category A05 - Security Misconfiguration
• Cross-Site Scripting (XSS) attacks are an OWASP top 10 security threat: Category A7
• OWASP HttpOnly
• CWE-1004

Exceptions:

While this issue mostly makes sense if you're setting a sensitive cookie, DeepSource will flag all the cookies encountered without the httponly flag. This is to ensure that you are aware of all the cookies being set and avoid false negatives.