FE Interview Hub
Browser InternalsIntermediate

What are cookie attributes? How to prevent JS from accessing cookies?

AI Practice
Attribute Description
Name=Value The name and value of the cookie
Domain Specifies which domains can access the cookie
Path Specifies which paths can access the cookie
Expires / Max-Age Sets the cookie expiration time
Secure Only sent over HTTPS connections
HttpOnly Prevents JavaScript from accessing via document.cookie
SameSite Controls cross-site cookie sending (Strict, Lax, None)

How to Prevent JS from Accessing Cookies?

Set the HttpOnly attribute to prevent JavaScript from reading the cookie:

Set-Cookie: sessionId=abc123; HttpOnly; Secure; SameSite=Strict

With HttpOnly set, document.cookie cannot read that cookie, effectively preventing XSS attacks from stealing the user's session token.

SameSite Attribute Explained

  • Strict: Completely blocks cross-site sending, highest security
  • Lax (default): Allows sending when navigating from external links (GET requests)
  • None: Allows all cross-site sending, but must be paired with Secure

✦ AI Mock Interview

Type your answer and get instant AI feedback

Sign in to use AI scoring

← Previous

What is the difference between HTTP and HTTPS?

Next →

What are the differences between HTTP/1, HTTP/1.1, and HTTP/2?