The HttpOnly cookie attribute tells the browser to prevent client-side scripts from reading cookies with the attribute, and its use
can go a long way to defending against Cross-Site Scripting (XSS) attacks. Thus, as a precaution, the attribute should be set by default on all
cookies set server-side, such as session id cookies.
Setting the attribute can be done either programmatically, or globally via configuration files.
This rule raises an issue:
HttpOnly is missing from php.ini or explicitly set to false setcookie()'s last parameter is explicitly set to false ; php.ini session.cookie_httponly=false ; Noncompliant; explicitly set to false // file.php setcookie($name, $value, $expire, $path, $domain, $secure, false); // Noncompliant; explicitly set to false