HttpOnly is a flag in the cookie header to hide data from JavaScript
HttpOnly is a flag in the cookie header, indicating that the browser should hide this cookie from JavaScript and only use it for HTTP and HTTPS requests.
Important Note
HttpOnly just makes exploiting XSS vulnerabilities a little more difficult. It does not provide protection against XSS.
External Links